Xcode server provides a web page to monitor any bots defined on that server. The page is at https://machine.domain.com/xcode. That page displays status of each bot, and provides an Integrate button to rerun an integration manually.
That page is available to anyone who can see the machine.
The documentation at Xcode Server and Continuous Integration Guide: Monitor Bots from a Web Browser provides instructions on access control, but they assume you're running macOS Server. With Xcode 9 that no longer needs to be the case. The access control described in that document is not available on macOS non-server.
How can I prevent the general public from seeing bot status, and from triggering a DOS attack by constantly rerunning them?
Apple folks, see rdar://35668967.
A VPN is probably the only solution at this time.