Ensure set variable is not marked as a secret
Description
This policy checks if a variable set in an Azure Pipelines job is marked as a secret. Marking a variable as a secret can potentially expose sensitive information, such as credentials or encryption keys, which could be used by an attacker to gain unauthorized access to systems or data. It is generally recommended to avoid setting variables as secrets unless absolutely necessary. The check looks for the presence of 'task.setvariable' in a bash or powershell command and verifies if 'issecret=true' is specified.
Code Example
azure-pipelines
echo '##vso[task.setvariable variable=myVariable;]myValue'
# instead of
echo '##vso[task.setvariable variable=myVariable;issecret=true]myValue'Remediation
To fix this issue, ensure that variables are not marked as secrets unless necessary. Remove the 'issecret=true' parameter from the 'task.setvariable' command.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0817 |
| Severity | MEDIUM |
| IaC Type | Azure Pipelines |
| Frameworks | jobs[].steps[], stages[].jobs[].steps[] |
| Checkov ID | CKV_AZUREPIPELINES_3 |