Discuss security implications of developer-defined PaC pipelines
It tests balancing CI/CD flexibility with defense-in-depth against secret exfiltration. Cover scoped build identities, branch policies, approval gates, and sandboxed fork builds. Red flag: shared service connections or unrestricted pipeline admin rights.
It tests whether you can enable developer autonomy without letting pipelines become lateral-movement channels. A strong answer covers four defensive layers: project-scoped build identities instead of collection-level access, branch policies and required reviewers on pipeline YAML, least-privilege service connections scoped to specific resource groups, and sandboxed fork builds using Microsoft-hosted agents without secrets. Red flag: proposing a single shared service connection across all teams or disabling fork protections to reduce friction.
Read the original → learn.microsoft.com
- #ci/cd
- #security
- #devops
- #pipeline-as-code
- #azure-pipelines
Get five bites like this every day.
Tezvyn delivers a daily feed of 60-second tech bites with quizzes to lock in what you learn.