Is secure-secrets-in-params too sensitive?

[afscrome]

Bicep version
VS Code v0.9.1

Describe the bug
Is the secure-secrets-in-params rule too sensitive. I'm seeing it flag up the following false positives in my templates:

To Reproduce

# An of secret names to copy from keyvault A to keyvault B
param secretNames array

# An array of principal ids to assign the "Key Vault Secret Users" RBAC role
param keyVaultSecretUsers array

[alex-frankel]

Right now we string match for the word secret among other things and it is possible to get false positives like this. I'm going to move this to discussion for now and see if other people feel similarly.

We would recommend using #disable-next-line for cases like this.

[StephenWeatherford]

Note: This is suggested in the rule documentation: https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/linter-rule-secure-secrets-in-parameters#silencing-false-positives

It is possible to add configuration to the rule for words it looks for, but it seems unlikely you'd want to remove "secret" from that list.

[dciborow]

I think it is a little over sensitive, and should only be scoped to parameters of type "string" and maybe "objects", since those are the only types that can be annotated with '@secure()'

Proposed idea for a fix here, #8420

[StephenWeatherford]

@dciborow Good point, definitely would like that fixed.

@afscrome
Open to other suggestions on improving the rule, including if adding configuration would help.

[afscrome]

@StephenWeatherford Do you have any telemetry around names that trigger this rule ? I'd be interested in seeing the top 50 or so, and seeing if there are any common false positive patterns that should be excluded..

[StephenWeatherford]

@afscrome I don't currently, but worth considering. Could you explain why you consider the following to be false positives?

# An of secret names to copy from keyvault A to keyvault B
param secretNames array

# An array of principal ids to assign the "Key Vault Secret Users" RBAC role
param keyVaultSecretUsers array

These parameter names certainly could indicate data that should not be made public, so I'm not sure these should be considered false positives. They may simply need to be silenced. Thanks.