pub fn addspn_with_inline_script(graph: &AuthorityGraph) -> Vec<Finding>Expand description
Rule: AzureCLI@2 task with addSpnToEnvironment: true AND an inline
script body. The inline script can launder federated SPN material
($env:idToken, $env:servicePrincipalKey, $env:tenantId) into normal
pipeline variables via ##vso[task.setvariable], leaking OIDC tokens to
downstream tasks/artifacts un-masked.
Severity: High. Escalates message wording when the script body contains
explicit laundering patterns (##vso[task.setvariable ...] writing one
of the well-known token env vars or ARM_OIDC_TOKEN).