Merge pull request #206413 from mumian/0729-linter-password-params

tamarakhader · web-flow · commit 7e9f25374553 · 2022-08-08T11:00:09.000-04:00
linter rule - secure-secrets-in-params
diff --git a/articles/azure-resource-manager/bicep/bicep-config-linter.md b/articles/azure-resource-manager/bicep/bicep-config-linter.md
@@ -62,6 +62,9 @@ The following example shows the rules that are available for configuration.
         "use-protectedsettings-for-commandtoexecute-secrets": {
           "level": "warning"
         },
+        "secure-secrets-in-params": {
+          "level": "warning"
+        },
         "use-stable-resource-identifiers": {
           "level": "warning"
         },
diff --git a/articles/azure-resource-manager/bicep/linter-rule-secure-secrets-in-parameters.md b/articles/azure-resource-manager/bicep/linter-rule-secure-secrets-in-parameters.md
@@ -0,0 +1,54 @@
+---
+title: Linter rule - secure secrets in parameters
+description: Linter rule - secure secrets in parameters
+ms.topic: conceptual
+ms.date: 08/01/2022
+---
+
+# Linter rule - secure secrets in parameters
+
+This rule finds parameters whose names look like secrets but without the [secure decorator](./parameters.md#decorators), for example: a parameter name contains the following keywords:
+
+- password
+- pwd
+- secret
+- accountkey
+- acctkey
+
+## Linter rule code
+
+Use the following value in the [Bicep configuration file](bicep-config-linter.md) to customize rule settings:
+
+`secure-secrets-in-params`
+
+## Solution
+
+Use the [secure decorator](./parameters.md#decorators) for the parameters that contain secrets. The secure decorator marks the parameter as secure. The value for a secure parameter isn't saved to the deployment history and isn't logged.
+
+The following example fails this test because the parameter name may contain secrets.
+
+```bicep
+param mypassword string
+```
+
+You can fix it by adding the secure decorator:
+
+```bicep
+@secure()
+param mypassword string
+```
+
+## Silencing false positives
+
+Sometimes this rule alerts on parameters that don't actually contain secrets. In these cases, you can disable the warning for this line by adding `#disable-next-line secure-secrets-in-params` before the line with the warning. For example:
+
+```bicep
+#disable-next-line secure-secrets-in-params   // Doesn't contain a secret
+param mypassword string
+```
+
+It's good practice to add a comment explaining why the rule doesn't apply to this line.
+
+## Next steps
+
+For more information about the linter, see [Use Bicep linter](./linter.md).
diff --git a/articles/azure-resource-manager/bicep/linter.md b/articles/azure-resource-manager/bicep/linter.md
@@ -32,6 +32,7 @@ The default set of linter rules is minimal and taken from [arm-ttk test cases](.
 - [prefer-interpolation](./linter-rule-prefer-interpolation.md)
 - [prefer-unquoted-property-names](./linter-rule-prefer-unquoted-property-names.md)
 - [secure-parameter-default](./linter-rule-secure-parameter-default.md)
+- [secure-secrets-in-params](./linter-rule-secure-secrets-in-parameters.md)
 - [simplify-interpolation](./linter-rule-simplify-interpolation.md)
 - [use-protectedsettings-for-commandtoexecute-secrets](./linter-rule-use-protectedsettings-for-commandtoexecute-secrets.md)
 - [use-stable-resource-identifiers](./linter-rule-use-stable-resource-identifier.md)
diff --git a/articles/azure-resource-manager/bicep/toc.yml b/articles/azure-resource-manager/bicep/toc.yml
@@ -386,6 +386,8 @@
         href: linter-rule-prefer-unquoted-property-names.md
       - name: Secure parameter default
         href: linter-rule-secure-parameter-default.md
+      - name: Secure secrets in parameters
+        href: linter-rule-secure-secrets-in-parameters.md
       - name: Simplify interpolation
         href: linter-rule-simplify-interpolation.md
       - name: Use explicit values for module location parameters
