DOS2300

Do not make the Secure File accessible to all YAML Pipelines

DOS2300

AzureDevOps project high builtIn

Description

Secure File must not be granted access to all YAML pipelines. Lock down the secure file and only allow selected YAML pipelines to access it. Information can be steal from the secure file if an unautorized user builds a YAML pipeline that can access the secure file. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources

Recommendation

1. Navigate to Project -> Pipelines -> Library 
2. Select a secure file. 
3. Click on 'Pipeline permissions'. 
4. Click on 'Restrict permission'. 
5. Click + to add the YAML pipeline that needs permission to the secure file.

Policy Rule

{
  "target": "ADOProjectPipelinePermissions",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "Resource.Type",
        "operator": "equals",
        "value": "securefile"
      },
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "AllPipelines.Authorized",
        "operator": "equals",
        "value": false
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2290 DOS2310 »
Rule Details
  • Rule ID: DOS2300
  • Code: ADO_Project_PipelinePermissions_SecureFile_Dont_Grant_All_YAML_Pipelines_Access
  • Platform: AzureDevOps
  • Category: project
  • Severity: high
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions