Skip to content

Commit 308e47a

Browse files
aj-ennsaj-enns
committed
feat: Improve agent pool accessibility checks with detailed explanations
1 parent ed9b84d commit 308e47a

1 file changed

Lines changed: 12 additions & 3 deletions

File tree

invoke-adoqr.ps1

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3894,10 +3894,19 @@ function Test-AgentPools {
38943894
$results.Add((New-ControlResult -Id "AP-04" -Status "PASS" -Severity "High" -Control "Auto-Provisioning Disabled" -Finding "$prefix — Auto-provision is disabled."))
38953895
}
38963896

3897-
# AP-05: Accessible to all pipelines
3897+
# AP-05: Accessible to all pipelines.
3898+
# Same reasoning as AP-04: Microsoft-hosted pools (Azure Pipelines,
3899+
# Hosted Ubuntu/macOS/Windows, etc.) default to "open to all
3900+
# pipelines" by design. The agents are isolated, ephemeral, and
3901+
# Microsoft-managed, so broad pipeline access does not expose
3902+
# customer infrastructure. The AzSK/SDL control targets self-hosted
3903+
# pools where unauthorized pipelines could reach internal networks
3904+
# or persisted credentials on the agent.
38983905
$pipePerms = Invoke-AdoApi -Uri "$OrgUrl/$ProjectName/_apis/pipelines/pipelinePermissions/queue/${queueId}?api-version=7.1-preview.1" -Header $Header
3899-
if ($pipePerms -and ($pipePerms.PSObject.Properties['allPipelines']) -and $pipePerms.allPipelines.authorized -eq $true) {
3900-
$results.Add((New-ControlResult -Id "AP-05" -Status "FAIL" -Severity "High" -Control "Not Accessible to All YAML Pipelines" -Finding "$prefix — Accessible to ALL pipelines. Restrict to specific pipelines."))
3906+
if ($pool.isHosted -eq $true) {
3907+
$results.Add((New-ControlResult -Id "AP-05" -Status "PASS" -Severity "High" -Control "Not Accessible to All YAML Pipelines" -Finding "$prefix — Microsoft-hosted pool; broad pipeline access is the Microsoft-managed default and not a customer-side security concern."))
3908+
} elseif ($pipePerms -and ($pipePerms.PSObject.Properties['allPipelines']) -and $pipePerms.allPipelines.authorized -eq $true) {
3909+
$results.Add((New-ControlResult -Id "AP-05" -Status "FAIL" -Severity "High" -Control "Not Accessible to All YAML Pipelines" -Finding "$prefix — Self-hosted pool accessible to ALL pipelines. Restrict to specific pipelines."))
39013910
} elseif ($pipePerms) {
39023911
$results.Add((New-ControlResult -Id "AP-05" -Status "PASS" -Severity "High" -Control "Not Accessible to All YAML Pipelines" -Finding "$prefix — Not accessible to all pipelines."))
39033912
}

0 commit comments

Comments
 (0)