For example the next state of affairs exists:
- A git repository exists on Azure DevOps Repos.
- The repository makes use of yaml pipelines (azure-pipelines.yml).
- The repository has department insurance policies to make sure that modifications undergo pull requests.
- The construct pipeline has authorization to sources (Azure, Non-public Construct Agent, and many others.)
The benefit of getting yaml pipelines is that modifications to the pipeline can coincide with modifications to the code base as a part of the identical pull request, and you may even have department insurance policies that if the azure-pipelines.yml file is modified, it requires the directors to approve.
Nonetheless, what I see as problematic (as an assault vector) is that somebody might modify the yaml file and have that pipeline run by way of a pull request. One instance is that the pipeline might run a malicious script on the construct agent, after which the consumer might proceed to desert the pull request and delete their department, hiding their tracks… finally the construct historical past will get deleted as properly. One instance of one thing that may be malicious is to have the script run which watches the construct agent and modifies supply code recordsdata previous to compilation in order that code which is deployed is now contaminated, giving again door entry to much more sources. The chances are infinite.
Are there others on the market who’ve recognized instruments or strategies to stop such an assault? Any suggestions on tips on how to strategy this other than abandoning yaml based mostly construct pipelines?