This sprint, we're replacing the "View YAML" experience. This is the feature which helps you migrate designer pipelines to YAML. The new version is more correct and covers more Classic Build features, which I'll cover in this post. It removes one useful quirk of the old implementation, so I'll share tips for anyone who depended on that quirk. The ...

Welcome back to Let's Hack a Pipeline. We've seen argument injection and source code stealing. This week, we'll wrap up the miniseries with Episode III: a Shared Infrastructure attack. One more time: security is a shared responsibility. The purpose of this series is to showcase some potential pitfalls to help you avoid them. The setup Let's say ...

We're back with another Let's Hack a Pipeline. Last time, we saw how to create - and prevent - argument injection. In this episode, we'll look at how a malicious user could access source code they shouldn't see. Welcome to Episode II: Stealing Another Repo. (Episode III is now available, too!) As I said before: security is a shared responsibility....

Welcome to Let's Hack a Pipeline! In this series of posts, we'll walk through some common security pitfalls when setting up Azure Pipelines. We don't really want to get hacked, so we'll also show off the mitigation. Episode I is titled Argument Injection. Episode II and Episode III are now also available. Preface on security A quick note before ...

Azure Repos added the ability to choose a default branch for new repositories.

Codecov.io added tokenless uploading of coverage results for public Azure Pipelines.

Azure Pipelines has supported container jobs for a while now. You craft a container with exactly the versions of exactly the tools you need, and we'll run your pipeline steps inside that container. Recently we expanded our container support to include service containers: additional, helper containers accessible to your pipeline.

Forks - the ability to create a server-side copy of a Git repository - is rolling out across Visual Studio Team Services (VSTS) and available in TFS 2018 RC1 as a public preview. In VSTS, you won't have to do anything to turn it on, it'll be available by default. If it's not on for you yet, it will be after the current deployment finishes. [edited ...

The VSTS platform offers a security REST endpoint which allows you to add and remove permissions on resources. (To understand the rest of this blog post, you're going to want to skim those docs first.) Several of the security APIs, as well as TFSSecurity.exe, expect a token identifying the resource to operate on. The token format varies across reso...

Like everything in VSTS and TFS, Git repos are protected by a set of permissions. For instance, you must have Read for a repo to clone or view its contents. Likewise, you must have Contribute to push changes. Until recently, you needed one permission to create, delete, or rename a repo, edit branch policies, or change other people's permissions: Ad...