Azure Personal Access Token
ID |
azure_pat |
Severity |
critical |
Vendor |
Microsoft |
Family |
API Token |
Description
The Azure DevOps Personal Access Token (PAT) is used to authenticate with the Azure command line interface (az).
In non-interactive sessions, for passing the PAT to the Azure command, the environment variable AZURE_DEVOPS_EXT_PAT is assigned the PAT, or a file with the PAT (not under version control) is read.
Security
Any hardcoded Azure PAT is a potential secret reported by this detector. Accidentally checking-in the token to source control repositories could compromise the Azure DevOps account and data.
Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require rotating or revoking the token. When leaked, the Azure PAT must be promptly rotated or revoked.
You may use the Azure Console https://dev.azure.com/YOUR_ORGNIZATION/_usersSettings/tokens, and create a new token with the same permissions (scopes), change its value in secret vaults or configuration files / environment variables, and when all references are changed, revoke the leaked token. Or you may regenerate the token immediately and the change the references to the leaked token.
-
Check access logs to ensure that the secret was not used by unintended actors during the compromised period.
-
(Optional) Remove the Azure PAT from the source code or committed configuration file. If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
| To restrict the scope and lifespan of the Azure PATs, Azure recently added a new set of policies that might be enabled. |