DOS2210

Pipeline Settings - Enforce access to repositories in YAML pipelines.

DOS2210

AzureDevOps project critical builtIn

Description

Protect access to repositories in YAML pipelines. Restricts the scope of access for all pipelines to only repositories explicitly referenced by the pipeline. Apply checks and approvals when accessing repositories from YAML pipelines. Also, generate a job access token that is scoped to repositories that are explicitly referenced in the YAML pipeline. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos

Recommendation

1. Navigate to Project Settings. 
2. Open the Settings link under Pipelines. 
3. Turn 'On' the setting 'Protect access to repositories in YAML pipelines'.

Policy Rule

{
  "target": "ADOProjectPipelineGeneralSettings",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectPipelineGeneralSettings",
        "property": "EnforceReferencedRepoScopedToken",
        "operator": "equals",
        "value": true
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2200 DOS2220 »
Rule Details
  • Rule ID: DOS2210
  • Code: ADO_Project_Pipeline_Settings_Limit_Pipeline_Scope_To_Referenced_Repos
  • Platform: AzureDevOps
  • Category: project
  • Severity: critical
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions