A company uses Azure DevOps for CI/CD. The security team requires that all pipeline runs must use a specific service connection (ServiceConnection-Prod) that has been approved for production deployments. However, developers are accidentally using unapproved connections. You need to enforce that only the approved service connection can be used in any pipeline that deploys to the production environment. What should you do?
Trap 1: Define a required template for all pipelines that includes the…
Templates are not enforced; developers could still bypass them.
Trap 2: Set up a manual approval gate on the production environment stage…
Approval gates control manual approval, not which service connection is used.
Trap 3: Configure a branch policy on the main branch to require a…
Branch policies do not validate service connections used in pipelines.
- A
Define a required template for all pipelines that includes the service connection, and instruct developers to use it.
Why wrong: Templates are not enforced; developers could still bypass them.
- B
Set up a manual approval gate on the production environment stage in the pipeline.
Why wrong: Approval gates control manual approval, not which service connection is used.
- C
Configure a branch policy on the main branch to require a successful build before merging.
Why wrong: Branch policies do not validate service connections used in pipelines.
- D
Create an Azure Pipeline decorator that validates the service connection used in each task and fails the pipeline if it is not the approved one.
A decorator can inject validation tasks into every pipeline to enforce the use of a specific service connection.