Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

AzureResourceManager static code analysis

Unique rules to find Vulnerabilities, Security Hotspots, and Code Smells in your AZURERESOURCEMANAGER code

Filtered: 16 rules found

azure

Impact

Clean code attribute

Secure strings and objects should not have default values

responsibility - trustworthy

security

Vulnerability

CriticalSonarSource default severity
click to learn more

Azure Resource Manager templates define parameters as a way to reuse templates in different environments. Secure parameters (secure strings and secure objects) should not be assigned a default value.

Why is this an issue?

How can I fix it?

More Info

Parameters with the type securestring and secureObject are designed to pass sensitive data to the resources being deployed. Unlike other data types, they cannot be accessed after the deployment is completed. They can neither be logged nor used as an output.

Secure parameters can be assigned a default value which will be used if the parameter is not supplied. This default value is not protected and is stored in cleartext in the deployment history.

What is the potential impact?

If the default value contains a secret, it will be disclosed to all accounts that have read access to the deployment history.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted