When Bamboo see changes in repository it runs such steps:
- Checkout source code
- Run Maven tool to compile and run Bamboo Specs generator to produce internal YAML
- Read YAML and build plan/deployment structure and apply them to configuration.
Step #2 is very danger from security point of view. It takes Java code outside of Bamboo control (remote repository) and executes it inside Bamboo server. To make sure environment is fully isolated Bamboo team recommends to use Docker to divide Maven execution from Bamboo Server environment.
If you can't use Docker then Bamboo Server will try to do the most safe action and run Maven with custom Java Security Manager which don't allow to access network, execute other applications or read/write files outside of working directory by Java code. But we think that this barrier might be not enough to make you server fully secured.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.