DOS2290

Do not make the Environment accessible to all YAML Pipelines

DOS2290

AzureDevOps project high builtIn

Description

Environment must not be granted access to all YAML pipelines. Lock down the environment and only allow selected YAML pipelines to access it. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources

Recommendation

1. Navigate to Project -> Pipelines -> Environments 
2. Select an environment. 
3. Click on the three dots button. 
4. Click Security. 
5. Under 'Pipeline permissions' section, click 'Restrict Permission' to avoid granting access to all YAML pipelines. Add the YAML pipelines that need explicit access on this environment.

Policy Rule

{
  "target": "ADOProjectPipelinePermissions",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "Resource.Type",
        "operator": "equals",
        "value": "environment"
      },
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "AllPipelines.Authorized",
        "operator": "equals",
        "value": false
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2280 DOS2300 »
Rule Details
  • Rule ID: DOS2290
  • Code: ADO_Project_PipelinePermissions_Environment_Dont_Grant_All_YAML_Pipelines_Access
  • Platform: AzureDevOps
  • Category: project
  • Severity: high
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions