Best Security Practices for Azure DevOps and GitHub Service Connections

0
votes

Our development team uses GitHub for source control. We started using Azure DevOps for Pipelines. We are not using Azure DevOps Repos at the moment.

We currently create one DevOps project per one GiHub repository.

When I build a new pipeline I need to create a new service connection for GitHub. I have an option to Authorize using OAuth or Authorize with GitHub personal access token.

With both of these options the new service connection will be using my account permissions. My GitHub account contains my own private repositories as well as private repositories of the associated organizations. Thus any member of the DevOps project can now see a list of all repositories of my GitHub account through an authorized GitHub service connection.

This setup does not look secure to me and I would like to get help in making GitHub Service Connections more secure.

Thank you

1
azuregithubazure-devops
Use a service account - the other problem with your current setup is that all of the pipelines break if you leave the company and your GitHub account no longer has access. - jonrsharpe
The best is to create a new github account use only for automation or other use case when you need to connect github with other services. You will need to pay a seat for it, but it will be an account not related to an employee and will not be used for other thing than that. - jmaitrehenry
Thank you @jonrsharpe and @jmaitrehenry! Is service account the same type as a regular user account? - Alex S
I don't think GitHub natively supports service accounts, I just created a normal account for e.g. github.com/postfactobot - jonrsharpe
@AlexS Not get your latest information, is the workaround helpful for you? Or if you have any concern, feel free to share it here. - Hugh Lin

1 Answers

0
votes

Thus any member of the DevOps project can now see a list of all repositories of my GitHub account through an authorized GitHub service connection.

You can manage the security for a connection by setting User permissions.

To manage security for a service connection, open the service connection and go to more options at top-right corner and choose Security.

enter image description here

Then you can control who can create, view, use and manage the service connection with user permissions. You have four roles i.e. Creator, Reader, User and Administrator roles to manage each of these actions. In the service connections tab, you can set the hub level permissions which are inherited and you can override the roles for each service connection.

enter image description here

For details ,please refer to this official document.