RG-SEC-001 Variables Exposing Password
Description
RG-SEC-001 looks for variable names within workflows that match a regular expression inidcating they contain a password and checks that they are of the data type “System.SecureString”.
This rule is configurable to cater for different search patterns.
Password Pattern:
The regular expression pattern identifies variable names as containing passwords.
Default Pattern:
(.([Pp][Aa][Ss][Ss]).([Ww][Oo][Pr][Dd]).)|(.[Pp][Ww][Dd].)|(.[Pp][Aa][Ss][Ss][Pp][Hh][Rr][Aa][Ss][Ee].*)
Impact
Password Exposure
Mitigation
Passwords, when held in variables, must be of the type “System.SecureString”.
Further Reading
- regex101 - build, test, and debug regex