Deployment sets a secret property with a non-secure value
April 11, 2025 ยท View on GitHub
SYNOPSIS
A secret property set from a non-secure value may leak the secret into deployment history or logs.
DESCRIPTION
This rule checks for cases when a non-secure value is assigned to a resource property that contains sensitive information.
For example, a regular parameter or hard coded variable is used to set the value property of an Azure Key Vault secret.
This property is used to store the secret value in the Key Vault, however the value has been leaked.
Azure Bicep and Azure Resource Manager (ARM) templates can be used to deploy resources to Azure.
When deploying Azure resources, sensitive values such as passwords, certificates, and keys should be passed as secure parameters.
Secure parameters use the @secure decorator in Bicep or the secureString / secureObject type.
Parameters that do not use secure types are recorded in deployment history and logs. These values can be retrieved by anyone with read access to the deployment history and logs. Logs are often exposed at multiple levels including CI pipeline logs, Azure Activity Logs, and SIEM systems.
RECOMMENDATION
Consider using secure parameters for setting the value of any sensitive resource properties.
EXAMPLES
Configure with Azure template
To configure deployments that pass this rule:
- Set the
typeof parameters used set sensitive resource properties tosecureStringorsecureObject.
For example:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"secret": {
"type": "secureString"
}
},
"resources": [
{
"type": "Microsoft.KeyVault/vaults/secrets",
"apiVersion": "2022-07-01",
"name": "keyvault/good",
"properties": {
"value": "[parameters('secret')]"
}
}
]
}
Configure with Bicep
To configure deployments that pass this rule:
- Add the
@secure()decorators on parameters used to set sensitive resource properties.
For example:
@secure()
param secret string
resource goodSecret 'Microsoft.KeyVault/vaults/secrets@2022-07-01' = {
name: 'keyvault/good'
properties: {
value: secret
}
}
NOTES
For a list of resource types and properties that are checked by this rule see secret properties. If you find properties that are missing, please let us know by logging an issue on GitHub.