Additional protections when using public package registries.

Why This Matters

Public package registries, such as npm, PyPI, or NuGet, can expose your Azure DevOps pipelines to supply chain risks if not properly configured. Without additional protections, malicious or compromised packages from public sources could introduce vulnerabilities or backdoors into your build artifacts. Enforcing safeguards ensures that only trusted packages are consumed, reducing the attack surface for your CI/CD workflows.

What Aether365 Checks

This check verifies whether your Azure DevOps environment has additional protections enabled for using public package registries, such as upstream sources or package allowlisting. It appears in the Aether365 dashboard under the microsoft-365 checks category, flagged as a Medium severity finding.