Linter rule - secure secrets in parameters

  • Article

This rule finds parameters whose names look like secrets but without the secure decorator, for example: a parameter name contains the following keywords:

  • password
  • pwd
  • secret
  • accountkey
  • acctkey

Linter rule code

Use the following value in the Bicep configuration file to customize rule settings:

secure-secrets-in-params

Solution

Use the secure decorator for the parameters that contain secrets. The secure decorator marks the parameter as secure. The value for a secure parameter isn't saved to the deployment history and isn't logged.

The following example fails this test because the parameter name may contain secrets.

param mypassword string

You can fix it by adding the secure decorator:

@secure()
param mypassword string

Optionally, you can use Quick Fix to add the secure decorator:

The screenshot of Secured default value linter rule quick fix.

Silencing false positives

Sometimes this rule alerts on parameters that don't actually contain secrets. In these cases, you can disable the warning for this line by adding #disable-next-line secure-secrets-in-params before the line with the warning. For example:

#disable-next-line secure-secrets-in-params   // Doesn't contain a secret
param mypassword string

It's good practice to add a comment explaining why the rule doesn't apply to this line.

Next steps

For more information about the linter, see Use Bicep linter.