Conversation
…aester into feature/azdo
SamErde
added
enhancement
| 3. Select Policies, locate the Request Access policy and toggle it to off. | ||
| 4. Provide the URL to your internal process for gaining access. Users see this URL in the error report when they try to access the organization or a project within the organization that they don't have permission to access. | ||
|
|
||
| **Results:** |
There was a problem hiding this comment.
Shouldn't the detailed 401 go to users in the organization and the 404 go to users not in the organization?
There was a problem hiding this comment.
I do agree!
Seems the experience has changed since;
I'll update with the new information the article.
powershell/public/maester/azdo/Test-AzdoAllowRequestAccessToken.md
Outdated
Show resolved
Hide resolved
powershell/public/maester/azdo/Test-AzdoAllowTeamAdminsInvitationsAccessToken.md
Outdated
Show resolved
Hide resolved
powershell/public/maester/azdo/Test-AzdoAllowTeamAdminsInvitationsAccessToken.md
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
This pull request adds 31 Azure DevOps security tests to the Maester project, providing comprehensive security assessments for Azure DevOps organizations. Each test includes both PowerShell implementation and markdown documentation describing the security rationale and remediation steps.
Changes:
- Added 31 new Azure DevOps security test functions covering authentication, access control, pipeline security, and resource management
- Created comprehensive markdown documentation for each test with remediation guidance
- Updated the module manifest to export all new test functions
- Added a test runner file that orchestrates all Azure DevOps security tests
Reviewed changes
Copilot reviewed 65 out of 65 changed files in this pull request and generated 28 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Maester/Azdo/Test-Azdo.Tests.ps1 | Test runner that executes all 31 Azure DevOps security tests |
| tests/Maester/Azdo/README.md | Overview documentation for Azure DevOps tests |
| powershell/public/maester/azdo/*.ps1 | 31 PowerShell functions implementing security checks |
| powershell/public/maester/azdo/*.md | 31 markdown documentation files with rationale and remediation steps |
| powershell/Maester.psd1 | Module manifest updated to export new functions |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
...ll/public/maester/azdo/Test-AzdoOrganizationLimitJobAuthorizationScopeNonReleasePipeline.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azdo/Test-AzdoOrganizationStageChooser.md
Outdated
Show resolved
Hide resolved
Corrected typos and formatting in the documentation.
Removed unnecessary commas and spaces. Added line breaks for MD linting.
Corrected grammatical errors and added punctuation for clarity.
Updated description to clarify the function's purpose and improve readability.
Corrected grammatical errors and improved clarity in remediation instructions.
Clarified the purpose of the Azure DevOps tests and updated the reference link.
…thorizationScopeNonReleasePipeline.ps1 Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
powershell/public/maester/azuredevops/Test-AzdoFeedbackCollection.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoLogAuditEvent.ps1
Outdated
Show resolved
Hide resolved
...c/maester/azuredevops/Test-AzdoOrganizationAutomaticEnrollmentAdvancedSecurityNewProject.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoOrganizationBadgesArePrivate.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoOrganizationCreationClassicBuildPipeline.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoPublicProject.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoResourceUsageProject.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoResourceUsageWorkItemTag.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoSSHAuthentication.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoThirdPartyAccessViaOauth.ps1
Outdated
Show resolved
Hide resolved
|
Sorry for all of the comments! This is awesome work! |
Thank you @merill , I'll add the docs and a blog post to showcase / outline the new tests! |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 68 out of 68 changed files in this pull request and generated 12 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ($Member.subjectKind -eq 'group') { | ||
| Write-Verbose "Finding members in group '$($Member.DisplayName)' - Descriptor '$($_.Descriptor)'" | ||
| Get-ADOPSMembership -Descriptor $Member.descriptor -Direction 'down' | Foreach-object { | ||
| Write-Verbose "Processing member '$($_.DisplayName)' - Descriptor '$($_.Descriptor)'" |
There was a problem hiding this comment.
Inside Get-NestedAdoMembership, the first Write-Verbose message references $($_.Descriptor) even though $_ isn’t set in that scope; this will log an empty/incorrect descriptor. Use $Member.Descriptor there to match the rest of the function.
powershell/public/maester/azuredevops/Test-AzdoOrganizationTaskRestrictionsDisableNode6Task.ps1
Outdated
Show resolved
Hide resolved
| Checks the status of when you sign in to the web portal of a Microsoft Entra ID-backed organization, | ||
| Microsoft Entra ID always performs validation for any Conditional Access Policies (CAPs) set by tenant administrators. | ||
|
|
||
| https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops |
There was a problem hiding this comment.
The comment header link in the description points to audit streaming (.../audit/auditing-streaming...) which doesn’t match this test’s purpose (Conditional Access enforcement). Updating it to the Conditional Access policy documentation would avoid confusing users reading the help.
| https://learn.microsoft.com/en-us/azure/devops/organizations/audit/auditing-streaming?view=azure-devops | |
| https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-conditional-access?view=azure-devops&tabs=preview-page |
| $data = @' | ||
| Prevent pipelines from making secrets available to fork builds is set to '{0}'\ | ||
| Prevent pipelines from making fork builds have the same permissions as regular builds is set to '{1}'\ | ||
| Require a team member's comment before building a pull request is set to '{2}' ({3}) | ||
| '@ -f $settings.enforceNoAccessToSecretsFromForks, $settings.enforceJobAuthScopeForForks, $settings.isCommentRequiredForPullRequest, $AdditionalInfo |
There was a problem hiding this comment.
The here-string includes trailing backslashes at the end of lines, which will be emitted literally in the result output (they don’t act as line continuations inside a here-string). If the intent is multiline formatting, remove the trailing \ characters and rely on the here-string newlines (or build the string with explicit newlines).
powershell/public/maester/azuredevops/Test-AzdoAllowRequestAccessToken.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoThirdPartyAccessViaOauth.ps1
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoSSHAuthentication.ps1
Outdated
Show resolved
Hide resolved
powershell/public/maester/azuredevops/Test-AzdoExternalGuestAccess.ps1
Outdated
Show resolved
Hide resolved
|
@copilot open a new pull request to apply changes based on the comments in this thread |
powershell/public/maester/azuredevops/Test-AzdoRestrictPersonalAccessTokenLifespan.ps1
Outdated
Show resolved
Hide resolved
Description
Fixes #1368
Adding 31 Azure DevOps security tests.
Each of the tests is added to the new folder azdo in maester\public\maester
All of the tests have a markdown file, with :
Contribution Checklist
Before submitting this PR, please confirm you have completed the following:
/powershell/tests/pester.ps1on your local system.