How to secure DevOps Pipeline
In order to deploy in Azure by using the Devops Pipeline , service connection need to be created in Devops. This service connection grants access to the DevOps service, enabling it to interact with Azure.
In case the service connection has been granted the “contributor” access permission, it possesses full privileges to execute any job in the external services (Azure…)which can be be misused by accident or by malicious users.
For example, anyone could easily access the existing pipeline YAML script and add PowerShell code to delete all resources in the production environment.
In this perspective , here is what can be done to secure the use of service connection within the devops pipeline.
PS: these security checks cannot be modified or accessed directly from the pipeline.
- Restrict access: Limit the number of individuals or teams who can manage the service connection. Only trusted and authorized personnel should have permission to modify or utilize it.
- Service Connection Checks
a- The use of the service connection can be approved by Approvals defined in the setting
b-Ensure the use of service connection within a specific Branch.
As an additional check, Branch Control can verify if Branch Protections (like required Pull Requests and Code Reviews) are actually configured on the allowed branches.
3. Environment approvals and checks
Besides to the service connection checks we can add the same security configuration in the environment where the pipeline will be executed.
4. Block pipeline to single environment
Enable only the preapproved pipeline to run within the environment which can be approved by the trusted and authorized personnel that should have permission.
