Auditing an Azure DevOps project configuration with PSRule
Secure software development needs a secure development environment. This includes the secure setup and configuration of your favorite devops tools. For Azure DevOps a PowerShell module has recently been released that can help in securing your Azure DevOps project environment. The module, PSRule.Rules.AzureDevOps is a rules module for PSRule, the tool to build test and governance controls for infrastructure as code that has already proved its worth in secure development of ARM and Bicep templates. This guide walks through the steps to audit your Azure DevOps environment from a PowerShell terminal, but can also easily be integrated into an Azure DevOps pipeline to run automated on a schedule.
Installation
The PSRule.Rules.AzureDevOps module needs the base PSRule module by Microsofts Bernie White installed first. To install PSRule open a PowerShell terminal and use Install-Module to install the module from the PowerShell gallery.
Install-Module –Name PSRule –Scope CurrentUser –ForceNow that we have the base module installed we can install the rules module containing the commands to export the Azure DevOps project configuration and the auditing rules. Again, the module is installed from the PowerShell Gallery using Install-Module.
Install-Module –Name PSRule.Rules.AzureDevOps -Scope CurrentUser –ForceExporting the Azure DevOps project configuration
Next step in the process will be to export the configuration data from Azure DevOps so PSRule can run the analysis. To make an export you will need an Azure DevOps Personal Access Token (PAT) with full access to the project. See https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=Windows#create-a-pat for details on how to create your PAT. You also need the name of your Azure DevOps organization and project.
Once we have the PAT we can go back to the PowerShell terminal to import the module, connect to Azure DevOps and export the configuration. Make sure the `-OutputPath` folder exists before attempting the export.
Import-Module PSRule.Rules.AzureDevOps
Connect-AzDevOps -Organization "<<YOUR_ORGANIZATION>>" -PAT "<<YOUR_PAT>>"
Export-AzDevOpsRuleData `
-Project "MyProject" `
-OutputPath "C:\Temp\MyProject"After the successful export you will find a set of `.json` files in your export folder. These files contain the various objects retrieved through the Azure DevOps REST API. The data includes exported Variable Groups, Service Connections, Pipelines Environments, Releases and Repositories and the branch policies for the default branches.
Running the PSRule analysis.
Now that we have an export of our Azure DevOps project’s configuration, we can run the PSRule analysis. To run PSRule with the PSRule.Rules.AzureDevOps module as ruleset, use the following command:
Assert-PSRule `
-InputPath "C:\Temp\MyProject\" `
-Module PSRule.Rules.AzureDevOpsPSRule will run the analyses and return output like shown below:
The output will show which rules passed and if any configuration items failed the test. Any failures will show the reason for the failure and a recommendation on how to resolve the issue. A link to the online help is also available in the PSRule output that helps in more detail. The online help also supplies additional links to reference material on the Microsoft documentation website for more information. Alternatively, the online help information is also available local to the module with the built-in PSRule Rule help command `Get-PSRuleHelp`. This command needs a parameter for the rule name and can then lookup the help information for that rule.
For example, if we want details on the failing Azure.DevOps.ServiceConnections.Scope rule in the screenshot above, the command would be:
Get-PSRuleHelp –Module PSRule.Rules.AzureDevOps -Full `
–Name Azure.DevOps.ServiceConnections.Scope `
-Culture en
The module is still in early development but already produces some useful results for a basic security posture in your Azure DevOps project. Any tips, ideas or other contributions you would like to share are very welcome through the project’s issue tracker on GitHub