Securing Azure Pipelines

Azure DevOps Services | Azure DevOps Server 2022 | Azure DevOps Server 2020

Azure Pipelines presents distinct security challenges. While pipelines allow you to execute scripts or deploy code to production environments, it’s crucial to prevent them from becoming conduits for malicious code. Balancing security with the flexibility and power needed by development teams is essential.

Note

Azure Pipelines is part of a suite of Azure DevOps Services, all built on a secure infrastructure within Azure. To gain a comprehensive understanding of security concepts across all Azure DevOps Services, we recommend viewing the following resources:

• Azure DevOps Data Protection Overview
• Azure DevOps Security and Identity

Traditionally, organizations enforce security through strict lock-downs. Code, pipelines, and production environments face severe access restrictions. While this approach works well in small organizations with limited users and projects, larger organizations face a different reality. With numerous contributors having access to code, the principle of 'assume breach' becomes crucial. It involves operating as if an adversary possesses contributor access to repositories, necessitating heightened vigilance.

To achieve security goals, consider the following points:

• Prevent malicious code execution:

  • Ensure that your pipelines are configured to prevent unauthorized execution of malicious code, which includes the following tasks:
    • Restrict access to sensitive secrets and credentials.
    • Validate input parameters and arguments to prevent unintended behavior.
    • Review and audit pipeline scripts for potential security risks regularly.
    • Implement security practices such as:
      • Use parameterized queries in scripts to prevent SQL injection.
      • Escape special characters in arguments to avoid shell command injection.
      • Limit permissions for pipeline service connections.
  • Consider using YAML pipelines, which provide fine-grained control over execution and are less prone to security risks.

• Mitigate lateral exposure:

  • Isolate pipelines to prevent lateral movement within your organization’s projects and repositories.
  • Limit access to only the necessary repositories and resources for each pipeline.
  • Monitor pipeline activity and set up alerts for suspicious behavior.
  • Review and update permissions to minimize exposure regularly.

• Use YAML Pipelines:

  • YAML pipelines offer the following advantages in terms of security:
    • Explicitly define pipeline steps and dependencies.
    • Version control for pipeline definitions.
    • Clear visibility into pipeline configuration.
    • Reduced risk of accidental misconfigurations.
    • Code review and pull requests:
      • Treat YAML pipelines like any other code.
      • Enforce pull requests for merging changes to prevent malicious steps.
      • Use branch policies to set up this review process.
    • Resource access management:
      • Resource owners control whether a YAML pipeline can access specific resources.
      • This security feature prevents attacks like stealing another repository.
      • Approvals and checks provide access control for each pipeline run.
    • Runtime parameters:
      • Runtime parameters help avoid security issues related to variables, such as Argument Injection.
  • Consider migrating existing pipelines to YAML format for improved security and maintainability.

Security is an ongoing process, and regular assessments and updates are essential. YAML pipelines offer the best security for your Azure Pipelines.

The following articles outline recommendations to help you develop a secure YAML-based pipeline:

• Azure DevOps security constructs
• Incremental approach to improving security
• Pipeline resources
• Secrets
• Secure access to repositories
• Security through templates
• Variables and parameters
• Other security considerations
  • Project structure
  • Repository protection
  • Shared infrastructure