DOS2440

Do not share the Service Connection across multiple projects

DOS2440

AzureDevOps project high builtIn

Description

You should not share a service connection across multiple projects. Limit the access to the service connection to your current project to avoid unwanted data access from another project. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints#project-permissions---cross-project-sharing-of-service-connections https://learn.microsoft.com/en-us/azure/devops/pipelines/security/resources

Recommendation

1. Navigate to Project Settings. 
2. Open the Service connections link under Pipelines. 
3. Select a service connection. 
4. Click on the three dots button. 
5. Click Security. 
6. Under 'Project permissions' section, make sure 'Only current project' has access and remove other projects that no more require access to the service connection.

Policy Rule

{
  "target": "ADOProjectServiceEndpoint",
  "if": {
    "allOf": [
      {
        "resource": "ADOProjectServiceEndpoint",
        "property": "ServiceEndpointProjectReferences.Count",
        "operator": "equals",
        "value": 1
      }
    ]
  },
  "then": {
    "effect": "Audit"
  }
}
« DOS2430 DOS2450 »
Rule Details
  • Rule ID: DOS2440
  • Code: ADO_Project_ServiceConnection_Dont_Share_ServiceConnections_Across_Projects
  • Platform: AzureDevOps
  • Category: project
  • Severity: high
  • Type: builtIn
Related Rules

Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions