Ensure Set Variable Is Not Marked As a Secret
Using non-secret variables for set variable tasks in Azure Pipelines is recommended because:
- Non-secret variables are not encrypted or masked out, which makes them easier to debug and audit.
- Non-secret variables are automatically decrypted into environment variables for scripts. You do not need to explicitly map them using the
task.setvariablelogging command. - Non-secret variables are available for expressions and template parameters. You do not need to pass them as arguments to templates.
Therefore, this rule suggests using non-secret variables unless they contain sensitive information like passwords, IDs, and other identifying data that you would want to have protected in a pipeline.
Risk Level: medium
Platform: Azure Pipelines
Spectral Rule ID: AZRPPL003
REMEDIATION
In jobs.steps.powershell or jobs.steps.bash delete issecret=true command
bash: |
echo "##vso[task.setvariable variable=normal_variable;]something"
- echo "##vso[task.setvariable variable=secret_variable;issecret=true]super-secret"
powershell: |
Write-Host "##vso[task.setvariable variable=normal_variable;]something"
- Write-Host "##vso[task.setvariable variable=secret_variable;issecret=true]super-secret"
Read more:
Updated over 1 year ago