Securing a Private Build Agent in VSTS

0
votes

I am using VSTS and a private build agent and I want to make sure that I am not opening my organization to attack. The build and deployment pipeline allow Powershell scripts to execute on premise. To protect against hackers I have done the following

  • Limited the access of the service account that runs the VSTS Build agent
  • Limited who can invoke a Build or deployment
  • Avoided executing scripts as part of the build that are in git

We have linked our internal Active directory to VSTS, which means we have a single sign on from within our organization.

My question is what else can I do to secure my Build and release pipelines? Are there tools or scripts that can be used to monitor the build scripts and there use?

1
securityazure-devopsazure-pipelinesazure-pipelines-release-pipeline

1 Answers

0
votes

You can set permissions with two aspects to make your build/release and the private agent secure:

  1. Set permissions for build/release definitions

    Click button for build/release definitions -> Security -> set detail permissions for groups or users -> Save changes.

  2. Set permissions for agent

    You can also set different roles for groups and users for Agent queues and Agent pools.

More details, you can refer the document Set build and release permissions.