Skills

azure-devops

Installation
SKILL.md

Azure DevOps Pipelines Code Review Rules

Security (Critical)

  • Template Expression Safety: Only interpolate variables that have undergone strict validation and escaping in template expressions (${{ }}). Never use direct user input in template expansion to prevent injection attacks during pipeline parsing
  • Runtime Variable Safety: Sanitize and validate runtime variables ($()) before using in scripts. Never interpolate untrusted data into script commands to prevent command injection
  • Comment Hygiene: Never use HTML comments (<!-- -->) in pipeline YAML files. Use standard YAML comments (#) only
  • Use service connections with minimal permissions
  • Store secrets in Variable Groups linked to Key Vault
  • Use secure files for certificates/keys
  • Enable branch policies for protected branches
  • Require approvals for production environments
  • Scan pipeline YAML for hardcoded secrets/credentials
  • Review inline scripts for command injection, unsafe variable expansion, and commonly exploited patterns
  • Consider using static analysis tools for script security
  • Avoid echoing secrets in script output
  • Use credential scanning tools in PR validation
Installs
2
Repository
yldgio/codereview-skills
First Seen
Mar 30, 2026
Security Audits
Gen Agent Trust HubPass
SocketPass
SnykPass
azure-devops — yldgio/codereview-skills