Secure Azure DevOps Pipelines

Essential security practices for your CI/CD workflows.

Authentication & Authorization

Controlling who can access and modify your pipelines is paramount.

Service Connections Security

  • Use managed identities whenever possible.
  • Limit the permissions granted to service connections.
  • Regularly review and rotate credentials for service connections.
  • Avoid storing secrets directly in pipeline definitions.

Role-Based Access Control (RBAC)

  • Implement the principle of least privilege.
  • Assign roles based on user responsibilities.
  • Use Azure AD groups for efficient management.

Secrets Management

Protect sensitive information like API keys, passwords, and certificates.

Azure Key Vault Integration

  • Store all secrets in Azure Key Vault.
  • Grant your Azure DevOps pipelines read access to Key Vault secrets.
  • Use the Azure Key Vault task in your pipelines.

Example of fetching a secret:

- task: AzureKeyVault@1
  displayName: 'Unlock Key Vault Secrets'
  inputs:
    azureSubscription: 'YourAzureServiceConnection'
    KeyVaultName: 'YourKeyVaultName'
    SecretsFilter: 'MyApiSecret'
    OutputVariable: 'MyApiSecretValue'

- script: echo "API Secret is: $(MyApiSecretValue)"
  displayName: 'Use the Secret'

Pipeline Code Security

Ensuring the integrity and security of your pipeline definitions.

Branch Policies

  • Require pull requests for changes to pipeline definition files (YAML).
  • Enforce code reviews before merging.
  • Use branch protection rules to prevent unauthorized commits.

Secure Pipeline YAML

  • Validate pipeline YAML for common security pitfalls.
  • Scan pipeline code for hardcoded secrets.
  • Use template validation to enforce standards.

Agent Security

Securing the environments where your builds and deployments run.

Self-Hosted Agents

  • Ensure agents run with the least privilege necessary.
  • Keep the agent operating system and software up to date.
  • Isolate agents in secure network segments.
  • Use containerized agents for better isolation.

Microsoft-Hosted Agents

  • Understand the security boundaries of Microsoft-hosted agents.
  • Avoid sensitive operations directly on Microsoft-hosted agents.
  • Use secure artifact storage and retrieval.

Artifact Security

Protecting the outputs of your build and the inputs to your deploy.

Secure Artifact Feeds

  • Use private artifact feeds (e.g., Azure Artifacts).
  • Configure permissions on your feeds to control access.
  • Scan artifacts for vulnerabilities.

Verifiable Builds

  • Sign your build artifacts to ensure integrity.
  • Integrate with security scanning tools for dependencies and code.
  • Publish build provenance information.

Network Security

Controlling network access for your pipelines and agents.

Firewall Rules

  • Restrict outbound connections from agents to only necessary endpoints.
  • Configure inbound rules for any required agent communication.

Private Endpoints

  • Use private endpoints for services like Azure Repos, Azure Artifacts, and Azure Key Vault.
  • This ensures traffic stays within your virtual network.

Embrace a defense-in-depth strategy for comprehensive pipeline security.

Explore Azure DevOps Security Docs