generic.bicep.security.secure-parameter-for-secrets.secure-parameter-for-secrets
semgrepAuthor
unknown
Download Count*
License
Mark sensitive parameters with the @secure() decorator. This avoids logging the value or displaying it in the Azure portal, Azure CLI, or Azure PowerShell.
Run Locally
Run in CI
Defintion
rules:
- id: secure-parameter-for-secrets
patterns:
- pattern: param $NAME string
- pattern-not-inside: |
@secure()
param $NAME string
- metavariable-regex:
metavariable: $NAME
regex: (?i).*(password|secret|token)
message: Mark sensitive parameters with the @secure() decorator. This avoids
logging the value or displaying it in the Azure portal, Azure CLI, or
Azure PowerShell.
metadata:
category: security
technology:
- bicep
cwe:
- "CWE-532: Insertion of Sensitive Information into Log File"
references:
- https://cwe.mitre.org/data/definitions/532.html
- https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets
owasp:
- A09:2021 - Security Logging and Monitoring Failures
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Mishandled Sensitive Information
languages:
- generic
paths:
include:
- "*.bicep"
severity: WARNING
Examples
secure-parameter-for-secrets.bicep
// ok: secure-parameter-for-secrets
@secure()
param demoPassword string
// ok: secure-parameter-for-secrets
param normalParam string
// ruleid: secure-parameter-for-secrets
param somethingPassword string
// ruleid: secure-parameter-for-secrets
param somethingSecret string
Short Link: https://sg.run/QywP