Plan how to secure your YAML pipelines
Azure DevOps Services | Azure DevOps Server 2022 | Azure DevOps Server 2020
We recommend that you use an incremental approach to secure your pipelines. Ideally, you would implement all of the guidance that we offer. But don't be daunted by the number of recommendations. And don't hold off making some improvements just because you can't make all the changes right now.
Security recommendations depend on each other
Security recommendations have complex interdependencies. Your security posture depends heavily on which recommendations you choose to implement. The recommendations that you choose, in turn, depend on the concerns of your DevOps and security teams. They also depend on the policies and practices of your organization.
You might choose to tighten security in one critical area and accept less security but more convenience in another area.
For example, if you use extends templates to require all builds to run in containers, then you might not need a separate agent pool for each project.
Begin with a nearly empty template
A good place to start is by enforcing extension from a nearly empty template. This way, as you start to apply security practices, you have a centralized place that already catches every pipeline.
For more information, see Templates.
Disable creation of classic pipelines
Note
This feature is available starting in Azure DevOps Server 2022.1.
If you develop only YAML pipelines, disable creation of classic build and release pipelines. Doing so prevents a security concern that stems from YAML and classic pipelines sharing the same resources, for example the same service connections.
You can disable the creation of classic build pipelines and classic release pipelines independently. When you disable both, no classic build pipeline, classic release pipeline, task groups, and deployment groups can be created using either the user interface or the REST API.
You can disable creation of classic pipelines by turning on two toggles at either organization level or project level. To turn them on, navigate to your Organization / Project settings, then under the Pipelines section choose Settings. In the General section, toggle on Disable creation of classic build pipelines and Disable creation of classic release pipelines.
When you turn them on at organization level, it is on for all projects in that organization. If you leave them off, you can choose for which projects you wish to turn them on.
To improve the security of newly created organizations, starting with Sprint 226, by default we will disable creating classic build and release pipelines for new organizations.
Next steps
After you plan your security approach, consider how your repositories provide protection.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for