How to secure DevOps Pipeline

Omayma Khammassi
2 min readJun 5, 2023

--

In order to deploy in Azure by using the Devops Pipeline , service connection need to be created in Devops. This service connection grants access to the DevOps service, enabling it to interact with Azure.

In case the service connection has been granted the “contributor” access permission, it possesses full privileges to execute any job in the external services (Azure…)which can be be misused by accident or by malicious users.
For example, anyone could easily access the existing pipeline YAML script and add PowerShell code to delete all resources in the production environment.

In this perspective , here is what can be done to secure the use of service connection within the devops pipeline.

PS: these security checks cannot be modified or accessed directly from the pipeline.

  1. Restrict access: Limit the number of individuals or teams who can manage the service connection. Only trusted and authorized personnel should have permission to modify or utilize it.
  2. Service Connection Checks

a- The use of the service connection can be approved by Approvals defined in the setting

b-Ensure the use of service connection within a specific Branch.
As an additional check, Branch Control can verify if Branch Protections (like required Pull Requests and Code Reviews) are actually configured on the allowed branches.

3. Environment approvals and checks

Besides to the service connection checks we can add the same security configuration in the environment where the pipeline will be executed.

4. Block pipeline to single environment

Enable only the preapproved pipeline to run within the environment which can be approved by the trusted and authorized personnel that should have permission.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Omayma Khammassi
Omayma Khammassi

Written by Omayma Khammassi

Software developer and a lifelong learner.Passionate about Dot.Net application and the Microsoft Azure platforms.

No responses yet

Write a response