pub fn setvariable_issecret_false(graph: &AuthorityGraph) -> Vec<Finding>Expand description
Rule: ADO ##vso[task.setvariable] with a sensitive-named variable
that omits issecret=true (either issecret=false or no issecret
flag at all). Without the flag the variable value is printed in
plaintext to the pipeline log and is not masked in downstream step
output.
Detection (per Step):
META_PLATFORM == "azure-devops"(gates GHA/GitLab out)- Step carries a non-empty
META_SCRIPT_BODY - Body contains
##vso[task.setvariable variable=NAME ...]where NAME (case-insensitive) matches a sensitive keyword:password,passwd,token,secret,key,credential,cert,apikey,auth - The directive does NOT contain
issecret=true(case-insensitive) betweenvariable=NAMEand the closing]
Severity: High.