4

Currently storing our pipeline YAML files in our git repo in Azure Devops - trying to find a way to restrict certain users from editting/accessing the YAML file or even possibly a folder that contains the YAML file.

We want to implement additional security to prevent our developers from modifying our YAML files to potential exploit sensitive information or make changes that we don't approve (We have a PR policy in place, but would like additional security measures).

Ideally - we could setup a group in azure - add members, and only those members would be able to modify files inside a specific repo folder that contains our YAML file - not sure if this is possible.

99823
  • 2,407
  • 7
  • 38
  • 60
  • Does my suggestion help? It could prevent the target file or folders from being edited by specific members. – Yang Shen - MSFT Mar 05 '20 at 06:10
  • The accepted answer is misleading and dangerous. The original question is very valid and AFAIK Devops does not provide any solution for the problem. Picture this - a malicious user has the right to queue a pipeline (no need for edit rights), and the malicious user has the right to push new branches. Malicious user rewrites the pipeline's YAML to extract secrets *in their own private branch*, queue the pipeline *on their own private branch*, and done, all secrets extracted. No PRs were required, and as such, the PR policies were of no help. The missing feature is a PUSH filter. – fbrosseau Apr 13 '21 at 23:00

2 Answers2

5

You can create a repo policy that prevents pushes to the YAML folder/files.

Go to Project settings => Repos => Repositories => Policies:

enter image description here

And give Bypass policies permissions to a specific group that will have permission to edit the YAML:

enter image description here

Shayki Abramczyk
  • 36,824
  • 16
  • 89
  • 114
  • this is super close to what we need -however it seems to only block push when a yml file is created - which is good, however, we also need to block when a yml is editted and attempting to be pushed - know what i mean? – 99823 Mar 04 '20 at 22:19
  • @99823 I didn't know it works only for creations, maybe it's a bug, try to specify he yaml file name and check. – Shayki Abramczyk Mar 05 '20 at 09:54
  • 1
    @shyki we are starting to believe thats expected behavior due to the description in the screenshot above "block pushes form introducing file paths that" - i think the keyword being "introducing" as opposed to just updating or whatever - know what i mean? – 99823 Mar 05 '20 at 21:23
  • @99823 Have you ever found a solution? – roli09 Apr 06 '21 at 21:43
4

As far as i know, there's no such existing security setting that prevent specific members from modifying specific files or folders.

However, you can lock the master branch and then set branch policies for specific files like yml files or specific folders.

Please check this thread Can we lock a file in Azure DevOps? and follow the steps.

The main point is to set "For pull requests affecting these folders" value in "Automatically include reviewers" in "Branch policies".

enter image description here enter image description here

In this case, all changes to the master branch will need pull request and the change to the yml files will need reviewers to prove it.

Yang Shen - MSFT
  • 1,136
  • 1
  • 7
  • 9
  • 4
    The accepted answer is misleading and dangerous. The original question is very valid and AFAIK Devops does not provide any solution for the problem. Picture this - a malicious user has the right to queue a pipeline (no need for edit rights), and the malicious user has the right to push new branches. Malicious user rewrites the pipeline's YAML to extract secrets in their own private branch, queue the pipeline on their own private branch, and done, all secrets extracted. No PRs were required, and as such, the PR policies were of no help. The missing feature is a PUSH filter. – fbrosseau Apr 13 '21 at 23:01