cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Protect YAML pipelines

twics
Copper Contributor

‎Feb 14 2022 02:34 AM - last edited on ‎Mar 05 2024 01:30 PM by

‎Feb 14 2022 02:34 AM - last edited on ‎Mar 05 2024 01:30 PM by

Protect YAML pipelines

Hello everyone,

 

I am trying to find ways to protect YAML pipelines which have access to secrets from being abused.

 

The YAML pipeline has access to a variable group which (via a key vault) contains a secret. The secret is required for the pipeline to operate. We want the pipeline to run without manual approval because it is used in a pull request policy and runs rather frequently.

 

The problem is that any contributor to the repository can edit the YAML on their own branch and create a pull request. This will execute the pipeline. Since the pipeline will run no matter what, the changed pipeline might expose a secret or abuse it in some way.

 

Is there any way to make sure that only a select group has the ability to alter a YAML pipeline definition? Or to block any runs in which the pipeline YAML was altered? Maybe disallow pushes to the YAML path?

Labels:
715 Views
0 Likes
0 Replies
Reply
0 Replies