Name: Azure Devops
Author: yldgio

Azure DevOps Pipelines Code Review Rules

Use service connections with minimal permissions
Store secrets in Variable Groups linked to Key Vault
Use secure files for certificates/keys
Enable branch policies for protected branches
Require approvals for production environments
Scan pipeline YAML for hardcoded secrets/credentials
Review inline scripts for command injection, unsafe variable expansion, and commonly exploited patterns
Consider using static analysis tools for script security
Avoid echoing secrets in script output
Use credential scanning tools in PR validation
Validate compile-time template expressions (${{ }}) to prevent injection during pipeline parsing; avoid direct user input in template expansion
Sanitize runtime variables ($()) before using in scripts to prevent command injection; never interpolate untrusted data into script commands

Use service connections with minimal permissions
Store secrets in Variable Groups linked to Key Vault
Use secure files for certificates/keys
Enable branch policies for protected branches
Require approvals for production environments
Scan pipeline YAML for hardcoded secrets/credentials
Review inline scripts for command injection, unsafe variable expansion, and commonly exploited patterns
Consider using static analysis tools for script security
Avoid echoing secrets in script output
Use credential scanning tools in PR validation
Validate compile-time template expressions (${{ }}) to prevent injection during pipeline parsing; avoid direct user input in template expansion
Sanitize runtime variables ($()) before using in scripts to prevent command injection; never interpolate untrusted data into script commands

Azure Devops