Skip to content

Add networkIsolationPolicy to 1ES pipeline templates for SFI-ES4.2.4 compliance#14696

Merged
joperezr merged 1 commit intorelease/13.2from
sfi-es424-network-isolation-policy
Mar 12, 2026
Merged

Add networkIsolationPolicy to 1ES pipeline templates for SFI-ES4.2.4 compliance#14696
joperezr merged 1 commit intorelease/13.2from
sfi-es424-network-isolation-policy

Conversation

@joperezr
Copy link
Member

@joperezr joperezr commented Feb 25, 2026

Summary

Adds networkIsolationPolicy: Permissive,CFSClean2 to the 1ES pipeline template parameters to resolve the [SFI-ES4.2.4] "Network Isolation for CFS endpoints" S360 KPI violation (CFSClean violation type).

Background

The S360 KPI [SFI-ES4.2.4] requires that CI/CD pipelines use Central Feed Service (CFS) package feeds, Azure Artifacts feeds, rather than public package registries, to enforce supply chain security and network isolation.

Our NuGet.config already exclusively uses Azure Artifacts/CFS-compliant feeds (all pointing to pkgs.dev.azure.com/dnceng or dnceng.pkgs.visualstudio.com). No public feeds like nuget.org are referenced. However, the 1ES pipeline template parameters were missing the networkIsolationPolicy declaration, which is what the compliance scanner checks for.

What the setting means

  • Permissive - Allows broader outbound network access during pipeline runs. This is appropriate for public/OSS repos that need to access multiple Azure Artifacts feeds, npm registries (for the VS Code extension build), and other legitimate external endpoints.
  • CFSClean2 - Declares CFS compliance at the current wave level, confirming that package dependency resolution goes through Azure Artifacts/CFS rather than direct public registries.

Precedent

This is the same approach used by dotnet/source-indexer (see their azure-pipelines.yml), which previously had the same CFSClean violation and resolved it with this one-line setting.

Changes

  • eng/pipelines/azure-pipelines.yml - Added settings.networkIsolationPolicy: Permissive,CFSClean2 under extends.parameters
  • eng/pipelines/azure-pipelines-unofficial.yml - Same change applied

@joperezr
Add networkIsolationPolicy to 1ES pipeline templates for SFI-ES4.2.4 …
14c1e3e 
…compliance

Add networkIsolationPolicy: Permissive,CFSClean2 to the 1ES pipeline template
parameters in both official and unofficial pipeline definitions to resolve the
[SFI-ES4.2.4] Network Isolation for CFS endpoints S360 KPI violation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings February 25, 2026 21:47
@github-actions
Copy link
Contributor

github-actions bot commented Feb 25, 2026

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 14696

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 14696"

Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the 1ES pipeline template parameter settings.networkIsolationPolicy: Permissive,CFSClean2 to address SFI-ES4.2.4 (CFS endpoint network isolation) compliance scanning requirements for the repo’s CI pipelines.

Changes:

  • Add settings.networkIsolationPolicy: Permissive,CFSClean2 to eng/pipelines/azure-pipelines.yml (official pipeline).
  • Add the same settings.networkIsolationPolicy to eng/pipelines/azure-pipelines-unofficial.yml (unofficial pipeline).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
eng/pipelines/azure-pipelines.yml Passes settings.networkIsolationPolicy into the 1ES Official template parameters.
eng/pipelines/azure-pipelines-unofficial.yml Passes settings.networkIsolationPolicy into the 1ES Unofficial template parameters.

@joperezr joperezr requested a review from radical February 25, 2026 21:52
@github-actions github-actions bot mentioned this pull request Feb 25, 2026
Open
@joperezr joperezr added the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Feb 25, 2026
This was referenced Feb 26, 2026
Closed
Closed
Closed
Closed
Closed
mitchdenny
mitchdenny approved these changes Mar 3, 2026
View reviewed changes
Copy link
Member

@mitchdenny mitchdenny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good — purely a compliance declaration change with no functional impact on build behavior. The Permissive mode keeps outbound access open, and CFSClean2 satisfies the S360 scanner.

This was referenced Mar 3, 2026
Closed
Closed
Closed
Closed
This was referenced Mar 11, 2026
Closed
Closed
@joperezr joperezr merged commit aa9e2bd into release/13.2 Mar 12, 2026
15 checks passed
@joperezr joperezr deleted the sfi-es424-network-isolation-policy branch March 12, 2026 18:29
@dotnet-policy-service dotnet-policy-service bot added this to the 13.2 milestone Mar 12, 2026
@joperezr joperezr mentioned this pull request Mar 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@mitchdenny mitchdenny mitchdenny approved these changes

@radical radical Awaiting requested review from radical

Assignees

No one assigned

Labels

NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons)

Projects

None yet

Milestone

13.2

Development

Successfully merging this pull request may close these issues.

3 participants

@joperezr @mitchdenny