Secure access to repos from pipelines. Limit job authorization scope to current project for your pipeline. You can set the job authorization scope to be collection or project. Important: If the scope is not restricted at either the organization level or project level, then every job in your YAML pipeline gets a collection scoped job access token. In other words, your pipeline has access to any repository in any project of your organization. If an adversary is able to gain access to a single pipeline in a single project, they will be able to gain access to any repository in your organization. This is why, it is recommended that you restrict the scope at the highest level (organization settings) in order to contain the attack to a single project. Learn more: https://learn.microsoft.com/en-us/azure/devops/pipelines/process/access-tokens#job-authorization-scope https://learn.microsoft.com/en-us/azure/devops/pipelines/security/secure-access-to-repos
1. Navigate to Project Settings. 2. Open the Settings link under Pipelines. 3. Turn 'On' the setting 'Limit job authorization scope to current project for non-release pipelines'.
{
"target": "ADOProjectPipeline",
"if": {
"allOf": [
{
"resource": "ADOProjectPipeline",
"property": "BuildDefinition.JobAuthorizationScope",
"operator": "equals",
"value": "project"
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions