Skip to content

Create rule S8219: Azure DevOps App secrets should not be disclosed #5782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 29, 2025
Merged

Create rule S8219: Azure DevOps App secrets should not be disclosed #5782

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5dd7a96
Create rule S8219
alessandro-mizzaro-sonarsource Oct 23, 2025
b7b6071
S8219: Update metadata and descrption
alessandro-mizzaro-sonarsource Oct 24, 2025
aefed6c
Update examples
alessandro-mizzaro-sonarsource Oct 28, 2025
ad7842c
Update metadata
alessandro-mizzaro-sonarsource Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions rules/S8219/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{
}
56 changes: 56 additions & 0 deletions rules/S8219/secrets/metadata.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{
"title": "Azure DevOps App secrets should not be disclosed",
"type": "VULNERABILITY",
"code": {
"impacts": {
"SECURITY": "BLOCKER"
},
"attribute": "TRUSTWORTHY"
},
"status": "beta",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "30min"
},
"tags": [
"cwe",
"cert"
],
"defaultSeverity": "Blocker",
"ruleSpecification": "RSPEC-8219",
"sqKey": "S8219",
"scope": "All",
"securityStandards": {
"CWE": [
798,
259
],
"OWASP": [
"A3"
],
"CERT": [
"MSC03-J."
],
"OWASP Top 10 2021": [
"A7"
],
"PCI DSS 3.2": [
"6.5.10"
],
"PCI DSS 4.0": [
"6.2.4"
],
"ASVS 4.0": [
"2.10.4",
"3.5.2",
"6.4.1"
],
"STIG ASD_V5R3": [
"V-222642"
]
},
"defaultQualityProfiles": [
"Sonar way"
],
"quickfix": "infeasible"
}
134 changes: 134 additions & 0 deletions rules/S8219/secrets/rule.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
// Set value that can be used to refer to the type of secret in, for example:
// "An attacker can use this {secret_type} to ..."
// Commonly used values: access token, api key, application secret, application key or consumer key, service password, OAuth token, deployment password
:secret_type: secret

include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

// Optional: Give a general description of the secret and what it's used for.

include::../../../shared_content/secrets/impact/generic_impact.adoc[]

// Uncomment the following line, if specifying detailed impacts from below (also make sure to have new lines around the uncommented includes):
// include::../../../shared_content/secrets/impact/specific_impact_intro.adoc[]

// Secret may allow hosting arbitrary files
// include::../../../shared_content/secrets/impact/malware_distribution.adoc[]

// Secret may allow accessing or compromising sensitive data
// include::../../../shared_content/secrets/impact/data_compromise.adoc[]

// Secret may allow uploading artifacts to services used elsewhere in the supply chain
// This is specific for code and artifact repositories
// include::../../../shared_content/secrets/impact/supply_chain_attack.adoc[]

// Secret may be used to trigger workflows
// This is webhook-specific
// include::../../../shared_content/secrets/impact/codeless_vulnerability_chaining.adoc[]

// OAuth tokens may allow accessing 3rd party services
// include::../../../shared_content/secrets/impact/oauth_token_compromise.adoc[]

// Mailing service compromise may allow sending spam, which may result in account termination
// include::../../../shared_content/secrets/impact/suspicious_activities_termination.adoc[]

// Sensitive information leak / identity impersonation, e.g., through leaked signing secret
// include::../../../shared_content/secrets/impact/security_downgrade.adoc[]

// Audit trail discrepancies
// include::../../../shared_content/secrets/impact/non_repudiation.adoc[]

// Package repository secrets may allow access to source code etc.
// include::../../../shared_content/secrets/impact/source_code_compromise.adoc[]

// Spamming automated calls may cause large bills and rate limited service access
// include::../../../shared_content/secrets/impact/exceed_rate_limits.adoc[]

// For blockchain specific tokens
// include::../../../shared_content/secrets/impact/blockchain_data_exposure.adoc[]

// Specific for banking / financial transaction tokens, causing financial loss
// include::../../../shared_content/secrets/impact/banking_financial_loss.adoc[]

// Secret can be used to send spam or phish users
// include::../../../shared_content/secrets/impact/phishing.adoc[]

// Secret may allow modifying application data (object stores etc.)
// include::../../../shared_content/secrets/impact/data_modification.adoc[]

// Specific to services that are used to share PII (personal infos, chat logs, ..)
// include::../../../shared_content/secrets/impact/personal_data_compromise.adoc[]

// Secret may allow accessing financial data, like CC information or confidential financial reports
// include::../../../shared_content/secrets/impact/disclosure_of_financial_data.adoc[]

// Secret may allow occurring financial losses through 3rd party API usage
// include::../../../shared_content/secrets/impact/financial_loss.adoc[]

// Secret may be used to modify dashboards to corrupt shown data
// Requires setting service_name variable
// :service_name: secret service
// include::../../../shared_content/secrets/impact/dataviz_takeover.adoc[]

// Secret is related to IaaS providers and can be used to change DNS, launch VMs, etc.
// Requires setting service_name variable
// :service_name: secret service
// include::../../../shared_content/secrets/impact/infrastructure_takeover.adoc[]

== How to fix it

// 1. Revoke leaked secrets

include::../../../shared_content/secrets/fix/revoke.adoc[]

// 2. Analyze recent use to identify misuse

include::../../../shared_content/secrets/fix/recent_use.adoc[]

// 3. Use a secret vault in the future

include::../../../shared_content/secrets/fix/vault.adoc[]

// 4. Never hard-code secrets

include::../../../shared_content/secrets/fix/default.adoc[]

// OAuth PKCE is very specific to OAuth 2.0
// include::../../../shared_content/secrets/fix/oauth_pkce.adoc[]

=== Code examples

==== Noncompliant code example

[source,shell,diff-id=1,diff-type=noncompliant,subs="attributes"]
----
$patToken = 'joyyajsQIMoZtAflxnOadGtMjeXmXEOlXeK3UsvoWmiXURCCpBpl' # Noncompliant
$FeedName = 'redacted'
$FeedLocation = "https://pkgs.dev.azure.com/redacted/redacted/_packaging/$FeedName/nuget"
----

==== Compliant solution
[source,shell,diff-id=1,diff-type=compliant,subs="attributes"]
----
$patToken = $env:AZURE_DEVOPS_APP_SECRET
$FeedName = 'redacted'
$FeedLocation = "https://pkgs.dev.azure.com/redacted/redacted/_packaging/$FeedName/nuget"
----

//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

//=== Benchmarks