Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure DevOps Services | Azure DevOps Server 2022 | Azure DevOps Server 2020
This article describes security features that help safeguard protected resources in Azure Pipelines. Pipelines might need to access open or protected resources during runs.
Artifacts, pipelines, test plans, and work items are open resources. Pipelines can freely access these resources, and you can fully automate workflows by subscribing to resource trigger events. For more information about protecting open resources, see Protect projects.
Protected resources such as repositories and environments need more access restrictions. To help keep protected resources safe, you can require permissions, checks, and approvals for pipelines to access protected resources.
This article is part of a series that helps you implement security measures for Azure Pipelines. For more information, see Secure Azure Pipelines.
Prerequisites
| Category | Requirements |
|---|---|
| Azure DevOps | - Implement recommendations in Make your Azure DevOps secure and Secure Azure Pipelines. - Basic knowledge of YAML and Azure Pipelines. For more information, see Create your first pipeline. |
| Permissions | - To modify pipelines permissions: Member of the Project Administrators group. - To modify organization permissions: Member of the Project Collection Administrators group. |
Protected resources
Azure Pipelines protected resources include the following items:
- Repositories
- Environments
- Service connections
- Agent pools
- Secure files
- Secret variables in variable groups
You can set permissions so that only specific users and pipelines in a project can access protected resources. You can also define checks and approvals that must succeed before a pipeline stage that uses the resource can start. For example, you can require manual approval before a pipeline stage can use an environment. Failed checks can suspend or fail the pipeline run.
Repository resources
Adding a repository to a pipeline requires authorization from a user with Contribute access to the repository. You can also protect repository resources by limiting the scope of the Azure Pipelines access token to only repositories explicitly listed in the pipeline's resources section. For more information, see Securely access repositories from pipelines and Protect a repository resource.
Permissions
You can set user permissions and pipeline permissions for protected resources.
Grant User permissions only to users who require them. Members of the User role for a resource can manage approvals and checks.
Pipeline permissions guard against copying protected resources to other pipelines. To manage pipeline permissions, explicitly grant access only to specific pipelines you trust.
You must have the Project Administrator role to enable access to a protected resource across all pipelines in a project. For better security, don't enable Open access, which allows all pipelines in the project to use the resource. For more information, see Add an admin role to a protected resource.
Checks
To more completely secure protected resources in pipelines, add checks that must be satisfied before pipelines can consume protected resources. You can require specific approvals or other criteria. For more information, see Define approvals and checks.
Approvals
You can block pipeline requests for protected resources pending manual approval by specified users or groups. This check provides an extra layer of security by allowing review of the code before a pipeline run can proceed.
Branch control
Branch control ensures that only authorized branches can access protected resources. A protected branch check for a resource prevents pipelines from automatically running on unauthorized branches. By using branch control, you can extend your branch-specific manual code review requirements.
Business Hours
Use this check to ensure that a pipeline deployment starts within a specified day and time window.
View all checks
Select View all checks to see and apply other checks such as required templates.