Protect YAML pipelines

%3CLINGO-SUB%20id%3D%22%5C%26quot%3Blingo-sub-3161560%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3EProtect%20YAML%20pipelines%26lt%3B%5C%2Flingo-sub%26gt%3B%3CLINGO-BODY%20id%3D%22%5C%26quot%3Blingo-body-3161560%5C%26quot%3B%22%20slang%3D%22%5C%26quot%3Ben-US%5C%26quot%3B%22%3E%3CP%3EHello%20everyone%2C%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20ways%20to%20protect%20YAML%20pipelines%20which%20have%20access%20to%20secrets%20from%20being%20abused.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EThe%20YAML%20pipeline%20has%20access%20to%20a%20variable%20group%20which%20(via%20a%20key%20vault)%20contains%20a%20secret.%20The%20secret%20is%20required%20for%20the%20pipeline%20to%20operate.%20We%20want%20the%20pipeline%20to%20run%20without%20manual%20approval%20because%20it%20is%20used%20in%20a%20pull%20request%20policy%20and%20runs%20rather%20frequently.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%20any%20contributor%20to%20the%20repository%20can%20edit%20the%20YAML%20on%20their%20own%20branch%20and%20create%20a%20pull%20request.%20This%20will%20execute%20the%20pipeline.%20Since%20the%20pipeline%20will%20run%20no%20matter%20what%2C%20the%20changed%20pipeline%20might%20expose%20a%20secret%20or%20abuse%20it%20in%20some%20way.%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%26lt%3B%5C%2FP%26gt%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20make%20sure%20that%20only%20a%20select%20group%20has%20the%20ability%20to%20alter%20a%20YAML%20pipeline%20definition%3F%20Or%20to%20block%20any%20runs%20in%20which%20the%20pipeline%20YAML%20was%20altered%3F%20Maybe%20disallow%20pushes%20to%20the%20YAML%20path%3F%26lt%3B%5C%2FP%26gt%3B%26lt%3B%5C%2Flingo-body%26gt%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3C%2FLINGO-SUB%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3161560%22%20slang%3D%22en-US%22%3EProtect%20YAML%20pipelines%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3161560%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20find%20ways%20to%20protect%20YAML%20pipelines%20which%20have%20access%20to%20secrets%20from%20being%20abused.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20YAML%20pipeline%20has%20access%20to%20a%20variable%20group%20which%20(via%20a%20key%20vault)%20contains%20a%20secret.%20The%20secret%20is%20required%20for%20the%20pipeline%20to%20operate.%20We%20want%20the%20pipeline%20to%20run%20without%20manual%20approval%20because%20it%20is%20used%20in%20a%20pull%20request%20policy%20and%20runs%20rather%20frequently.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20problem%20is%20that%20any%20contributor%20to%20the%20repository%20can%20edit%20the%20YAML%20on%20their%20own%20branch%20and%20create%20a%20pull%20request.%20This%20will%20execute%20the%20pipeline.%20Since%20the%20pipeline%20will%20run%20no%20matter%20what%2C%20the%20changed%20pipeline%20might%20expose%20a%20secret%20or%20abuse%20it%20in%20some%20way.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20any%20way%20to%20make%20sure%20that%20only%20a%20select%20group%20has%20the%20ability%20to%20alter%20a%20YAML%20pipeline%20definition%3F%20Or%20to%20block%20any%20runs%20in%20which%20the%20pipeline%20YAML%20was%20altered%3F%20Maybe%20disallow%20pushes%20to%20the%20YAML%20path%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Visitor

Hello everyone,

 

I am trying to find ways to protect YAML pipelines which have access to secrets from being abused.

 

The YAML pipeline has access to a variable group which (via a key vault) contains a secret. The secret is required for the pipeline to operate. We want the pipeline to run without manual approval because it is used in a pull request policy and runs rather frequently.

 

The problem is that any contributor to the repository can edit the YAML on their own branch and create a pull request. This will execute the pipeline. Since the pipeline will run no matter what, the changed pipeline might expose a secret or abuse it in some way.

 

Is there any way to make sure that only a select group has the ability to alter a YAML pipeline definition? Or to block any runs in which the pipeline YAML was altered? Maybe disallow pushes to the YAML path?

0 Replies