DOS2310: Do not make the Service Connection accessible to all YAML Pipelines | Security KB - DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.

This website stores cookies on your computer.These cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please review our Privacy Policy.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference not to be tracked.
By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

AzureDevOps project high builtIn

Description

Service connections must not be granted access to all YAML pipelines. Lock down the service connection and only allow selected YAML pipelines to consume the service connection. If any other YAML pipeline refers to the service connection, an authorization request gets raised, which must be approved by a connection Administrator. Learn more: https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#pipeline-permissions https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources

Recommendation

1. Navigate to Project Settings. 
2. Open the Service connections link under Pipelines. 
3. Select a service connection. 
4. Click on the three dots button. 
5. Click Security. 
6. Under 'Pipeline permissions' section, click 'Restrict Permission' to avoid granting access to all YAML pipelines. Add the YAML pipelines that need explicit access on this service connection.

Policy Rule

{
  "target": "ADOProjectPipelinePermissions",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "Resource.Type",
        "operator": "equals",
        "value": "endpoint"
      },
      {
        "resource": "ADOProjectPipelinePermissions",
        "property": "AllPipelines.Authorized",
        "operator": "equals",
        "value": false
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}

« DOS2300 DOS2320 »

Rule Details

Rule ID: DOS2310
Code: ADO_Project_PipelinePermissions_ServiceConnection_Dont_Grant_All_YAML_Pipelines_Access
Platform: AzureDevOps
Category: project
Severity: high
Type: builtIn

DOS2310

Do not make the Service Connection accessible to all YAML Pipelines

DOS2310

Description

Recommendation

Policy Rule

View evaluation logic (JSON)

Rule Details

Related Rules