Skip to content

Governance Anti Patterns Security

Jump to bottom
Joshua Davis edited this page Apr 5, 2026 · 7 revisions

Security

Credentials, secrets, and insecure configuration detection

Domain: security

Checks (7)

Check Description
ANTI-SEC-001 Possible credential/secret in output — use managed identity instead of connection strings or keys.
ANTI-SEC-002 Admin credentials detected — disable admin user and use managed identity with AcrPull role assignment.
ANTI-SEC-003 Possible hardcoded value detected — externalize to Key Vault or use variables.
ANTI-SEC-004 Encryption at rest is disabled — enable TDE for SQL, SSE for Storage.
ANTI-SEC-005 Sensitive value in Terraform output — remove the output or add sensitive = true.
ANTI-SEC-006 Deprecated sensitive output detected — remove the output entirely instead of adding a warning comment.
ANTI-SEC-007 Overprivileged role assignment detected — use the most specific built-in role at the narrowest scope.

ANTI-SEC-001

Possible credential/secret in output — use managed identity instead of connection strings or keys.

Rationale: Connection strings and access keys are shared secrets that cannot be scoped to specific identities, automatically rotated, or audited through Entra ID.
Agents: terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer

Targets

Services Triggers On Correct Patterns
*All*
  • 'connection_string'
  • 'connectionstring'
  • 'access_key'
  • 'accesskey'
  • 'account_key'
  • 'accountkey'
  • 'shared_access_key'
  • 'client_secret'
  • 'password ='
  • 'password="'
  • 'password=''
  • '# Use managed identity via DefaultAzureCredential'
  • 'Microsoft.ManagedIdentity/userAssignedIdentities'

ANTI-SEC-002

Admin credentials detected — disable admin user and use managed identity with AcrPull role assignment.

Rationale: Admin credentials are shared secrets that cannot be scoped per-service and bypass RBAC audit trails.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.ContainerRegistry/registries
  • 'admin_enabled = true'
  • 'admin_username'
  • 'admin_password'
  • 'adminUserEnabled = true'
  • 'admin_enabled = false'
  • 'adminUserEnabled = false'
  • '# Use managed identity with AcrPull role assignment'

ANTI-SEC-003

Possible hardcoded value detected — externalize to Key Vault or use variables.

Rationale: Hardcoded values in code cannot be rotated and are permanently exposed in source control history.
Agents: terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer

Targets

Services Triggers On Correct Patterns
*All*
  • 'hardcoded'
  • 'hard-coded'
  • 'hard coded'
  • '# Externalize secrets to Key Vault or use managed identity'

ANTI-SEC-004

Encryption at rest is disabled — enable TDE for SQL, SSE for Storage.

Rationale: Disabled encryption exposes data if storage media is compromised or improperly decommissioned.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Sql/servers
  • Microsoft.Sql/servers/databases
  • Microsoft.Storage/storageAccounts
  • Microsoft.DocumentDB/databaseAccounts
  • 'disable_tde'
  • 'transparent_data_encryption = false'
  • 'encryption_at_rest = false'
  • 'transparent_data_encryption = true'
  • 'transparentDataEncryption = "Enabled"'
  • 'encryption_at_rest = true'

ANTI-SEC-005

Sensitive value in Terraform output — remove the output or add sensitive = true.

Rationale: Terraform outputs are stored in plaintext state files — sensitive values are visible to anyone with state access.
Agents: terraform-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'output "cosmos_account_primary_key"'
  • 'output "cosmos_primary_key"'
  • 'output "cosmos_connection_strings"'
  • 'output "primary_key"'
  • 'output "primary_connection_string"'
  • 'output "secondary_key"'
  • 'output "storage_account_key"'
  • 'output "storage_primary_key"'
  • 'output "sql_admin_password"'
  • '# Remove sensitive outputs — use managed identity for service-to-service auth'
  • 'output "resource_id"'
  • 'output "principal_id"'

ANTI-SEC-006

Deprecated sensitive output detected — remove the output entirely instead of adding a warning comment.

Rationale: Outputs marked with "DO NOT USE" or "DEPRECATED" should be removed entirely, not left with warnings.
Agents: terraform-agent

Targets

Services Triggers On Correct Patterns
*All*
  • 'DO NOT USE - use managed identity'
  • 'DEPRECATED: Use managed identity'
  • 'WARNING: Do not use'
  • '# Remove this output entirely — do not emit sensitive values'

ANTI-SEC-007

Overprivileged role assignment detected — use the most specific built-in role at the narrowest scope.

Rationale: Owner and Contributor roles grant full control — service identities should use the most specific data-plane role at the narrowest scope.
Agents: terraform-agent, bicep-agent

Targets

Services Triggers On Correct Patterns
  • Microsoft.Authorization/roleAssignments
  • '"Owner"'
  • '"Contributor"'
  • '"Storage Blob Data Contributor"'
  • '"Key Vault Secrets User"'
  • '# Use the most specific built-in role at the narrowest scope'

Home

Getting Started

Stages

Interfaces

Configuration

Agent System

Features

Quality

Help

Governance

Policies — Azure

AI Services

Compute

Data Services

Identity

Management

Messaging

Monitoring

Networking

Security

Storage

Web & App

Policies — Well-Architected

Reliability

Security

Cost Optimization

Operational Excellence

Performance Efficiency

Integration

Anti-Patterns
Standards

Application

IaC

Principles

Transforms

Clone this wiki locally