Enforcing specific tasks/templates in Azure DevOps

Q: Other that not giving permissions to users to create pipelines, how can i enforce a specific task/task group/ yaml template. I want to create a mandatory task/task group/yaml template that does some security scanning and i want to prevent users from making changes that disable it, Ideas and Insights are welcomed. Tak !

A decorator extension can check the presence of a template and optionally inject a task to fail the pipeline. Decorator extensions can’t be disabled by template authors.

Other than that, required templates through protected resources: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/templates?view=azure-devops|https://learn.microsoft.com/en-us/azure/devops/pipelines/security/templates?view=azure-devops

https://learn.microsoft.com/en-us/azure/devops/extend/develop/add-pipeline-decorator?view=azure-devops|https://learn.microsoft.com/en-us/azure/devops/extend/develop/add-pipeline-decorator?view=azure-devops

You could also use the decorator to forcefully inject the tasks you want to be included always.

Sadly you can’t enforce this through security template: this works only if you declare your repo as a resource.

We went the decorator route for some security scanning. Some seemed to have hopes users would do the right thing and included the tasks or templates would always be used but the reality was that unless it was injected in every run it wasn’t going to happen.

hmm…now i just need a UI to the decorator extension that is only visible / editable to collection admins,sounds of cogwheels turning

btw is there an equivalent for GH ?

Decorators can be installed by pool administrators and collection admins from the top of my head.

GitHub equivalent would be Required Workflows. https://docs.github.com/en/actions/using-workflows/required-workflows|https://docs.github.com/en/actions/using-workflows/required-workflows

Any news about “In later steps, we add logic to control when and how the decorator runs”?
Currently the decorator acts for all organization’s pipelines.

This one uses compile time variables to conditionally include steps based on variables.

https://github.com/jessehouwing/azure-pipelines-verify-signed-decorator/blob/main/verify-signed-decorator.yml|https://github.com/jessehouwing/azure-pipelines-verify-signed-decorator/blob/main/verify-signed-decorator.yml

Same here for conditionally only running on tfvc builds on hosted runners

https://github.com/jessehouwing/azure-pipelines-tfvc-fixparallel-decorator/blob/main/azure-pipelines-tfvc-fixparallel-decorator.yml|https://github.com/jessehouwing/azure-pipelines-tfvc-fixparallel-decorator/blob/main/azure-pipelines-tfvc-fixparallel-decorator.yml