I'm working with Azure DevOps, and I'm curious about how to enforce certain steps across all of our organization's build pipelines. For example, I'd like to ensure that a CVE scan is run for every build. Is there a way to implement a policy as code that sets these rules uniformly for all pipelines? I'm interested in hearing methods or best practices that can apply not just to Azure DevOps but potentially to other platforms too.
5 Answers
In Azure DevOps, you can create a mandatory step by developing your own ADO extension and publishing it to your organization. This feature, known as a pipeline decorator, allows you to enforce rules that cannot be disabled by the teams. It's a bit more complex than using templates but very effective! Check it out more [here](https://learn.microsoft.com/en-us/azure/devops/extend/develop/add-pipeline-decorator?view=azure-devops).
I also advocate for a 'safe by design' approach. For instance, using vulnerability-free base images from the start can greatly reduce the need for additional checks later on. We utilize a service called Echo (EchoHQ.com) to streamline this process, making it more efficient for our teams.
One effective way to manage this is by using templated pipelines. Instead of teams creating their own pipelines, they can reference a predefined template that includes all required steps. This way, only the templated pipeline is allowed to deploy to production. It keeps everything consistent across the board!
Additionally, combining pipeline templates with Branch Protection can achieve your goal. You can set up status checks to ensure that certain criteria are met before any merges happen. Learn more about this in the [Branch Policies Documentation](https://learn.microsoft.com/en-us/azure/devops/repos/git/branch-policies?view=azure-devops&tabs=browser).
Another approach is to use Policy as Code tools like Open Policy Agent (OPA). These tools can help enforce compliance across your pipelines and integrate well with Azure DevOps. They allow you to check for necessary rules, such as CVE scans, before any builds can proceed, providing another layer of governance alongside your templated pipelines.
But how do you ensure that teams are actually using those template pipelines?