Azure Pipelines configuration scanning
Checkov supports the evaluation of policies on your Azure Pipelines files. When using checkov to scan a directory that contains Azure Pipelines templates it will validate if the file is compliant with Azure Pipelines best practices such as usage of digest for container image version and more.
Full list of Azure Pipelines policies checks can be found here.
Example misconfigured Azure Pipelines template
trigger:
- master
resources:
repositories:
- repository: AzureDevOps
type: git
endpoint: AzureDevOps
name: AzureDevOps/AzureDevOps
jobs:
- job: RunInContainer
pool:
vmImage: 'ubuntu-18.04'
container: ubuntu:20.04
steps:
- script: printenv
Running in CLI
checkov -d . --framework azure_pipelines
Example output
_ _
___| |__ ___ ___| | _______ __
/ __| '_ \ / _ \/ __| |/ / _ \ \ / /
| (__| | | | __/ (__| < (_) \ V /
\___|_| |_|\___|\___|_|\_\___/ \_/
By bridgecrew.io | version: 2.1.236
azure_pipelines scan results:
Passed checks: 1, Failed checks: 1, Skipped checks: 0
Check: CKV_AZUREPIPELINES_1: "Ensure container job uses a non latest version tag"
PASSED for resource: /azure-pipelines.yml.jobs.jobs.CKV_AZUREPIPELINES_1[12:20]
File: /azure-pipelines.yml:12-21
Check: CKV_AZUREPIPELINES_2: "Ensure container job uses a version digest"
FAILED for resource: /azure-pipelines.yml.jobs.jobs.CKV_AZUREPIPELINES_2[12:20]
File: /azure-pipelines.yml:12-21
12 | - job: RunInContainer
13 | pool:
14 | vmImage: 'ubuntu-18.04'
15 |
16 | container: ubuntu:20.04
17 |
18 | steps:
19 | - script: printenv