DOS2280

Do not make the Agent Pool accessible to all YAML Pipelines

DOS2280

AzureDevOps project high builtIn

Description

Agent Pool must not be granted access to all YAML pipelines. Lock down the agent pool and only allow selected YAML pipelines to access it. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources#pipeline-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/policies/permissions#set-individual-agent-pool-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources

Recommendation

1. Navigate to Project Settings. 
2. Open the Agent pools link under Pipelines. 
3. Select an agent pool. 
4. Click on Security tab. 
5. Review Pipeline permissions and click on 'Restrict permission' to only allowed pipelines.

Policy Rule

{
  "target": "ADOProjectPipelinePermissions",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "Resource.Type",
        "operator": "equals",
        "value": "queue"
      },
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "AllPipelines.Authorized",
        "operator": "equals",
        "value": false
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2270 DOS2290 »
Rule Details
  • Rule ID: DOS2280
  • Code: ADO_Project_PipelinePermissions_AgentPool_Dont_Grant_All_YAML_Pipelines_Access
  • Platform: AzureDevOps
  • Category: project
  • Severity: high
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions