playbooks

home / skills / yldgio / codereview-skills / azure-devops

azure-devops skill

/skills/azure-devops

This skill helps you secure and optimize Azure DevOps pipelines by enforcing best practices for YAML structure, variable management, and deployment patterns.

npx playbooks add skill yldgio/codereview-skills --skill azure-devops

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.2 KB
---
name: azure-devops
description: Azure DevOps pipeline security, YAML structure, variable management, and deployment patterns
---

## Azure DevOps Pipelines Code Review Rules

### Security (Critical)
- Use service connections with minimal permissions
- Store secrets in Variable Groups linked to Key Vault
- Use secure files for certificates/keys
- Enable branch policies for protected branches
- Require approvals for production environments
- Scan pipeline YAML for hardcoded secrets/credentials
- Review inline scripts for command injection, unsafe variable expansion, and commonly exploited patterns
- Consider using static analysis tools for script security
- Avoid echoing secrets in script output
- Use credential scanning tools in PR validation
- Validate compile-time template expressions (`${{ }}`) to prevent injection during pipeline parsing; avoid direct user input in template expansion
- Sanitize runtime variables (`$()`) before using in scripts to prevent command injection; never interpolate untrusted data into script commands

### Variables
- Explicitly declare all variables with restricted scope
- Review Variable Group linking permissions to prevent unauthorized access
- Use Variable Groups for shared configuration
- Mark sensitive variables as secret (masked in logs)
- Use template expressions `${{ }}` for compile-time, `$()` for runtime
- Don't hardcode environment-specific values
- Follow naming conventions: use camelCase or UPPER_SNAKE_CASE
- Name Variable Groups clearly (e.g., `prod-app-config`)
- Understand variable override precedence (job > stage > root > variable group); see docs for advanced patterns
- Document variable purpose in Variable Group descriptions

### Task Management (Essential)
- Pin task versions (`task@2` not `task`)
- Use built-in tasks over script when available
- Explicitly specify agent pool (`pool: vmImage` or `pool: name`)
- Review custom scripts for embedded secrets or insecure code
- Avoid inline scripts for complex logic (use script files)
- Set `continueOnError` only when intentional
- Use `condition` for conditional execution
- Set task timeouts to prevent hanging jobs

### Stages and Jobs
- Use stages for environment progression (dev -> staging -> prod)
- Use deployment jobs for environment deployments
- Define explicit `dependsOn` for job ordering
- Use parallel jobs where independent
- Follow naming conventions: use descriptive stage/job names
- Set resource limits (`pool.demands`) when needed
- Configure concurrency limits for deployment jobs
- Use meaningful `displayName` for stages and jobs

### Environments
- Create environments for each deployment target
- Configure approvals and checks on environments
- Use environment variables for environment-specific config
- Track deployments in environment history

### Templates
- Extract reusable steps into templates
- Use parameters for template customization
- Store templates in a shared repository
- Version template references
- Document template purpose and parameters
- Validate template compatibility before use
- Handle template inclusion errors gracefully
- Test template changes before merging
- For complex parameter overrides, see [Azure DevOps Template Documentation](https://learn.microsoft.com/azure/devops/pipelines/process/templates)

### Best Practices

Overview

This skill helps secure and standardize Azure DevOps pipelines by inspecting YAML structure, variable usage, task configuration, stages/jobs, and deployment patterns. It highlights risky patterns like hardcoded secrets, unsafe inline scripts, and overly permissive service connections. The skill provides actionable recommendations to enforce least privilege, proper variable scoping, and safe template usage.

How this skill works

The skill parses pipeline YAML and related template files to identify insecure patterns: hardcoded credentials, unmasked variables, unpinned tasks, unsafe runtime interpolation, and inline-script hazards. It checks variable group linkage, service connection scopes, environment approvals, and deployment job settings. For each finding it reports the risk, exact YAML location, and a concise remediation. It also suggests best-practice changes such as switching scripts to built-in tasks or extracting reusable templates.

When to use it

  • Before merging pipeline or template changes in pull requests
  • When onboarding new projects to ensure consistent pipeline security
  • During audits to validate variable and secret management practices
  • When migrating CI/CD to Azure DevOps or introducing new environments
  • Before promoting pipelines to production to verify approvals and protections

Best practices

  • Use service connections with minimal permissions and audit their scope
  • Store secrets in Variable Groups linked to Key Vault and mark secrets as secret (masked)
  • Pin task versions (e.g., task@2) and prefer built-in tasks over complex inline scripts
  • Validate compile-time (${ { }}) and sanitize runtime ($()) variables to prevent template and command injection
  • Extract and version templates; document parameters and test template changes before merging
  • Enable branch policies, environment approvals, and deployment history tracking for production protection

Example use cases

  • Scan a repository of pipeline YAML to find hardcoded secrets and suggest Variable Group migration
  • Review templates to detect unsafe parameter expansion and recommend compile-time vs runtime fixes
  • Validate a pipeline change in a PR to ensure tasks are pinned and no inline secrets are exposed
  • Audit environment configuration to confirm approvals, concurrency limits, and deployment jobs are properly set
  • Generate a checklist for migrating pipelines to use Key Vault-backed Variable Groups and secure files

FAQ

How does the skill detect hardcoded secrets?

It scans YAML and inline scripts for patterns resembling credentials, tokens, and keys, then flags likely secrets for review rather than automatic removal.

Can it modify pipelines automatically?

It provides remediation steps and suggested YAML snippets but does not apply changes automatically; use the suggestions to update pipelines with appropriate approvals.