terraform.azure.security.keyvault.keyvault-content-type-for-secret.keyvault-content-type-for-secret

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Key vault Secret should have a content type set

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: keyvault-content-type-for-secret
    message: Key vault Secret should have a content type set
    patterns:
      - pattern: resource
      - pattern-not-inside: |
          resource "azurerm_key_vault_secret" "..." {
          ...
          content_type = "..."
          ...
          }
      - pattern-inside: |
          resource "azurerm_key_vault_secret" "..." {
          ...
          }
    metadata:
      category: correctness
      technology:
        - terraform
        - azure
      references:
        - https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_secret#content_type
        - https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: INFO

Examples

keyvault-content-type-for-secret.tf

resource "azurerm_key_vault_secret" "good_example" {
  name         = "secret-sauce"
  value        = "qwerty"
  key_vault_id = azurerm_key_vault.example.id
  content_type = "password"
}

# ruleid: keyvault-content-type-for-secret
resource "azurerm_key_vault_secret" "bad_example" {
  name         = "secret-sauce"
  value        = "qwerty"
  key_vault_id = azurerm_key_vault.example.id
}