generic.bicep.security.secure-parameter-for-secrets.secure-parameter-for-secrets

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Mark sensitive parameters with the @secure() decorator. This avoids logging the value or displaying it in the Azure portal, Azure CLI, or Azure PowerShell.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: secure-parameter-for-secrets
    patterns:
      - pattern: param $NAME string
      - pattern-not-inside: |
          @secure()
          param $NAME string
      - metavariable-regex:
          metavariable: $NAME
          regex: (?i).*(password|secret|token)
    message: Mark sensitive parameters with the @secure() decorator. This avoids
      logging the value or displaying it in the Azure portal, Azure CLI, or
      Azure PowerShell.
    metadata:
      category: security
      technology:
        - bicep
      cwe:
        - "CWE-532: Insertion of Sensitive Information into Log File"
      references:
        - https://cwe.mitre.org/data/definitions/532.html
        - https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/scenarios-secrets
      owasp:
        - A09:2021 - Security Logging and Monitoring Failures
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - generic
    paths:
      include:
        - "*.bicep"
    severity: WARNING

Examples

secure-parameter-for-secrets.bicep

// ok: secure-parameter-for-secrets
@secure()
param demoPassword string

// ok: secure-parameter-for-secrets
param normalParam string

// ruleid: secure-parameter-for-secrets
param somethingPassword string

// ruleid: secure-parameter-for-secrets
param somethingSecret string