RG-SEC-002 Arguments Exposing Password
Description
RG-SEC-002 looks for workflow argument names that match a regular expression inidcating they contain a password and checks that they are of the data type “System.SecureString”.
This rule is configurable to cater for different search patterns.
Password Pattern:
The regular expression pattern identifies argument names as containing passwords.
Default Pattern:
(.([Pp][aa][Ss][ss]).([Ww][oo][Pr][dd]).)|(.[Pp][ww][Dd].)|(.[Pp][aa][Ss][ss][Pp][hh][Rr][aa][Ss][ee].\*)
Impact
Password Exposure
Mitigation
Passwords, when held in arguments, must be of the type “System.SecureString”.
Further Reading
- regex101 - build, test, and debug regex