Can you elaborate why the extension needs Build execute permissions?
Opened this issue · 2 comments
Hello,
AFAIK and I saw in the code, the extension uploads the analysis result and if enabled log file (verbose logging) to the build artifacts. You'll find the code in following snipped in line 218 and 2023:
As you'll find in the MS Docs > Supported scopes, this can be done with scope vso.build_execute
that was defined for this extension.
BR, CW
Hi @HaGGi13!
Thanks for your answer. I don't agree that publishing artifacts need the "Build & Execute"-permission.
imo the Microsoft Doc states that the permission is needed to access already built artifacts but I might be wrong here.
Still, if your statement is correct, the "Build"-permission should suffice.
I would advise the developers of the extension to test the extension w/o granting the "Build & Execute"-permissions and see whether all the features are still working properly.
The reason I think this is so important is that CVE-checks will mostly be used in pipelines by companies, which have to comply to certain security guidelines.
Granting a DevOps-extension, which does not have the greatest popularity or developer count and updates itself more or less regularly, the "Build & Execute"-permission, might seem very critical to those companies.
Anyways, thanks a lot for your response!
I just think that you need no permissions to publish pipeline artifacts from a extension.
Greetings,
Zacharias3D