Compartir a través de

Decrease exposure to high-risk extensions

When you install or upgrade extensions, some might be flagged as high-risk. You can check their high-risk status in the Extensions section of Organization settings. This designation is due to several potential reasons, explained in this article.

We recommend only installing, upgrading, or using such extensions if you trust them and their publishers. Otherwise, you risk exposing your Azure DevOps organization to various issues, including security vulnerabilities, malfunctioning extensions, and the misuse of extensions with overly permissive scopes.

Screenshot showing high-risk extensions in Organization settings.

For more information about extensions, see the developing and publishing overviews.

Manage extensions with overly permissive scopes

Extensions that require overly permissive scopes are considered high-risk. To determine whether a particular scope falls into the high-risk category, see the Extension manifest reference.

Screenshot showing high-risk extension details.

Discontinue use of unpublished extensions

Extensions that were once public on the Visual Studio Marketplace but were later unpublished by their publishers are considered high-risk. Removing an extension from the marketplace typically indicates that it's no longer maintained. We recommend discontinuing the use of such extensions and uninstalling them from your Azure DevOps organization.

Screenshot showing high-risk extension details with unpublished status.

Use pipeline decorators safely

Pipeline decorators are extensions that can modify and enhance all pipelines within your organization. Therefore, use them cautiously and only if you trust their publishers.

Screenshot showing authorization screen for newly added scopes with pipeline decorator included.

Identify high risk scopes flagged in the Visual Studio Marketplace

You also see the same information on high-risk scopes in the Azure DevOps Visual Studio Marketplace.

Screenshot showing Azure DevOps' Visual Studio Marketplace acquisition screen for a high risk extension.

Note

This feature is being released gradually. If you don't see the high-risk scope in your Azure DevOps Visual Studio Marketplace user interface, wait a few more days until it becomes available for you.

Addition of the unpublished state field in the Azure DevOps Services REST API

With the Azure DevOps Services REST API version 7.2, the string field 'unpublished' is now available.