Deployment exposes a secret in output#
Security · Deployment · Rule · 2022_06 · Critical
Outputting a sensitive value from deployment may leak secrets into deployment history or logs.
Description#
This rule checks for cases when a sensitive value is output from a deployment. For example, if a parameter is marked as secure and then assigned to an output value.
Don't include any values in an ARM template or Bicep output that could potentially expose sensitive information. The output from each deployment is stored in the deployment history. If the output contains sensitive information, the output value is leaked to the deployment history.
Examples of secrets are:
- Parameters using the
secureString
orsecureObject
type. - Output from
list*
functions such aslistKeys
.
Outputs are recorded in clear texts within deployment history and logs. Logs are often exposed at multiple levels including CI pipeline logs, Azure Activity Logs, and SIEM systems.
Secret rotation — SE:09 Application secrets
If a secret has already been exposed by a previous insecure deployment, rotate it immediately to prevent unauthorized access to your resources.
Rotating a secret involves changing or regenerating the secret value and updating all dependent resources with the new value. This process should be done in a secure manner to prevent the new secret from being exposed.
Recommendation#
Consider removing any output values that return secret values in code.
Examples#
Configure with Bicep#
To deploy securely pass secrets within Infrastructure as Code:
- Add the
@secure()
decorators on sensitive parameters. - Avoid returning a secret in output values.
Example using @secure()
annotation:
@secure()
@description('Local administrator password for virtual machine.')
param adminPassword string
The following example fails because it returns a secret:
Configure with Azure template#
To deploy securely pass secrets within Infrastructure as Code:
- Define parameters with the
secureString
orsecureObject
type. - Avoid returning a secret in output values.
Example using secureString
type:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"type": "secureString",
"metadata": {
"description": "Local administrator password for virtual machine."
}
}
},
"resources": []
}
The following example fails because it returns a secret:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"type": "secureString",
"metadata": {
"description": "Local administrator password for virtual machine."
}
}
},
"resources": [],
"outputs": {
"accountPassword": {
"type": "string",
"value": "[parameters('adminPassword')]"
}
}
}
Notes#
When using Bicep, the built-in linter will also automatically check for common cases when secrets are output from a deployment.
Links#
- SE:02 Secured development lifecycle
- Test cases for ARM templates
- Outputs should not contain secrets
- List function