org.sonar.plugins.secrets.configuration.azure.yaml Maven / Gradle / Ivy
provider:
metadata:
name: Azure
category: Cloud Provider
message: Make sure this Azure Storage Account Key gets revoked, changed, and removed from the code.
detection:
post:
patternNot:
# Character repeated at least 4 times
- "([\\w\\*\\.])\\1{4,}"
# Common text placeholders
- "(?i)(?:s|ex)ample|foo|bar|test|abcd|redacted"
- "12345"
# Azure Storage / Azurite emulator
- "Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw=="
# CosmosDB Local emulator
- "C2y6yDjf5/R\\+ob0N8A7Cgv30VRDJIWEHLM\\+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw=="
rules:
- rspecKey: S6338
id: azure-storage-account-keys
metadata:
name: Azure Storage Account Keys
detection:
pre:
scopes:
- main
reject:
ext:
- .adoc
- .example
- .html
- .md
- .mdx
- .template
paths:
- "**/project.assets.json"
include:
content:
- "core.windows.net"
matching:
pattern: "['\"`]([a-zA-Z0-9/\\+]{86}==)['\"`]"
context:
matchEach:
- patternAround:
pattern: "(?i)core\\.windows\\.net"
maxLineDistance: 20
- matchNot:
patternBefore:
pattern: "(?i)\\bsha512\\b"
maxLineDistance: 0
examples:
- text: |
# Noncompliant code example
using Azure.Storage.Blobs;
using Azure.Storage;
class Example
{
static void Main(string[] args)
{
string account = "accountname";
string accountKey = "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg=="; // Noncompliant
StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey);
BlobServiceClient blobServiceClient = new BlobServiceClient(
new Uri($"https://{account}.blob.core.windows.net"),
sharedKeyCredential);
}
}
containsSecret: true
match: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==
- text: |
# Compliant solution
## Solution using environment variables:
using System;
using Azure.Storage.Blobs;
using Azure.Storage;
class Example
{
static void Main(string[] args)
{
string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME");
string accountKey = Environment.GetEnvironmentVariable("ACCOUNT_KEY");
StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey);
BlobServiceClient blobServiceClient = new BlobServiceClient(
new Uri($"https://{account}.blob.core.windows.net"),
sharedKeyCredential);
}
}
containsSecret: false
- text: |
# Compliant solution
## Solution using a passwordless approach, thanks to DefaultAzureCredential:
using System;
using Azure.Storage.Blobs;
using Azure.Identity;
class Example
{
static void Main(string[] args)
{
string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME");
var blobServiceClient = new BlobServiceClient(
new Uri($"https://{account}.blob.core.windows.net"),
new DefaultAzureCredential());
}
}
containsSecret: false
- text: |
async function main() {
const account = process.env.ACCOUNT_NAME || "accountname";
const accountKey = process.env.ACCOUNT_KEY || "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==";
const sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey);
const blobServiceClient = new BlobServiceClient(
`https://${account}.blob.core.windows.net`,
sharedKeyCredential
);
}
containsSecret: true
match: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==
- text: |
async function main() {
const account = process.env.ACCOUNT_NAME || "accountname";
const accountKey = process.env.ACCOUNT_KEY || "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==";
const sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey);
const blobServiceClient = new BlobServiceClient(
`https://${account}.blob.core.windows.net`,
sharedKeyCredential
);
}
fileName: Doc.md
containsSecret: false
- text: |
AccountKey = "BtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==";
containsSecret: false
- text: |
# core.windows.net,
"sha512": "HYmZNYuS9Kt9ZAKOvffcjacrX23oY6bBSsv6dY5UzH6Qmmkl8RhMs1/2WQYxoVhYo0TaVx/1U5J2Jdr+aY2vzw=="
containsSecret: false
- rspecKey: S6338
id: azure-storage-account-key-connection-string
metadata:
name: Azure Storage Account Keys
detection:
pre:
scopes:
- main
reject:
ext:
- .adoc
- .example
- .html
- .md
- .mdx
- .template
include:
content:
- "AccountKey="
matching:
pattern: "AccountKey=([a-zA-Z0-9/\\+]{86}==)"
examples:
- text: |
const connStr = "DefaultEndpointsProtocol=https;AccountName=testaccountname;AccountKey=4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==";
containsSecret: true
match: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==
- text: |
const connStr = "DefaultEndpointsProtocol=https;AccountName=testaccountname;AccountKey=4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==;EndpointSuffix=core.windows.net";
containsSecret: true
match: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==
- text: |
const connStr = "DefaultEndpointsProtocol=https;AccountName=testaccountname;AccountKey=4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==;EndpointSuffix=core.windows.net";
fileName: Doc.html
containsSecret: false
- text: |
AccountKey = "BtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==";
containsSecret: false
- text: |
const connStr = "DefaultEndpointsProtocol=https;AccountName=testaccountname;AccountKey=4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==;EndpointSuffix=core.windows.net";
containsSecret: true
match: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg==
- text: |
const connStr = "DefaultEndpointsProtocol=https;AccountName=testaccountname;AccountKey=Eby8vdM02xNOcqFlqUwJPLlmEtlCDXJ1OUzFT50uSRZ6IFsuFq2UVErCz4I6tq/K1SZFPTOtr/KBHBeksoGMGw==";
const connStr = "DefaultEndpointsProtocol=https;AccountName=testaccountname;AccountKey=C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==";
# These are well-known keys used in emulators only
containsSecret: false
- id: azure-subscription-keys
rspecKey: S6684
metadata:
name: Azure subscription keys should not be leaked
detection:
pre:
scopes:
- main
reject:
ext:
- .adoc
- .example
- .html
- .md
- .mdx
- .template
include:
content:
- "Subscription"
matching:
# While pretty generic, looking for this pattern in the wild lands a majority of actual Azure keys.
# As Azure is Microsoft-oriented, a check for the existence of its KeyVault is added to avoid FPs.
# The threshold to 150 characters is used to avoid as big vault urls as possible.
pattern: "(?is)\
(?© 2015 - 2025 Weber Informatics LLC | Privacy Policy