diff --git a/rules/S6338/secrets/rule.adoc b/rules/S6338/secrets/rule.adoc index 3345408477..03eae64fd1 100644 --- a/rules/S6338/secrets/rule.adoc +++ b/rules/S6338/secrets/rule.adoc @@ -32,11 +32,72 @@ include::../../../shared_content/secrets/fix/vault.adoc[] === Code examples -:example_secret: 4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg== -:example_name: storage_key -:example_env: STORAGE_KEY +==== Noncompliant code example -include::../../../shared_content/secrets/examples.adoc[] +[source,csharp,diff-id=1,diff-type=noncompliant] +---- +using Azure.Storage.Blobs; +using Azure.Storage; + +class Example +{ + static void Main(string[] args) + { + string account = "accountname"; + string accountKey = "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg=="; // Noncompliant + StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey); + + BlobServiceClient blobServiceClient = new BlobServiceClient( + new Uri($"https://{account}.blob.core.windows.net"), + sharedKeyCredential); + } +} +---- + +==== Compliant solution + +Using environment variables: + +[source,csharp,diff-id=1,diff-type=compliant] +---- +using System; +using Azure.Storage.Blobs; +using Azure.Storage; + +class Example +{ + static void Main(string[] args) + { + string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME"); + string accountKey = Environment.GetEnvironmentVariable("ACCOUNT_KEY"); + StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey); + + BlobServiceClient blobServiceClient = new BlobServiceClient( + new Uri($"https://{account}.blob.core.windows.net"), + sharedKeyCredential); + } +} +---- + +Using a passwordless approach, thanks to https://learn.microsoft.com/en-us/azure/storage/blobs/storage-quickstart-blobs-dotnet?tabs=visual-studio%2Cmanaged-identity%2Croles-azure-portal%2Csign-in-azure-cli%2Cidentity-visual-studio#sign-in-and-connect-your-app-code-to-azure-using-defaultazurecredential[DefaultAzureCredential]: + +[source,csharp] +---- +using System; +using Azure.Storage.Blobs; +using Azure.Identity; + +class Example +{ + static void Main(string[] args) + { + string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME"); + var blobServiceClient = new BlobServiceClient( + new Uri($"https://{account}.blob.core.windows.net"), + new DefaultAzureCredential()); + } +} +---- //=== How does this work?