fix(query): added two new allowRules on "Generic Secret" and "Generic Token" queries from Passwords and Secrets

assets/queries/common/passwords_and_secrets/regex_rules.json

@@ -87,6 +87,10 @@
         {
           "description": "Allow secret retrieved from ARM parameters",
           "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*[:=]\\s*['\"]?\\[\\s*parameters\\(['\"][a-zA-Z][a-zA-Z0-9_-]*['\"]\\s*\\)\\s*\\]"
+        }, 
+        {
+          "description": "Allow secrets retrieved from Bicep getSecret built in function",
+          "regex": "(?i)['\"]?secret[_]?(key|value)?['\"]?\\s*(:|=)\\s*[a-zA-Z]*\\.getSecret\\(\\s*[\"']?([A-Za-z0-9/~^_!@#&%(){};=?*+-<>,:;[\\]%$]*)[\"']?"
         }
       ],
       "specialMask": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*"
@@ -346,6 +350,10 @@
         {
           "description": "Avoiding next_token Var",
           "regex": "(?i)['\"]?next(_)?token['\"]?\\s*[:=]\\s*['\"]?([[A-Za-z0-9/~^_!@&%()=?*+-]+)['\"]?"
+        },
+        {
+          "description": "Avoiding references to module outputs in Bicep",
+          "regex": "(?i)['\"]?token(_)?(key)?\\s*[:=]\\s*([a-zA-Z][a-zA-Z0-9_]*)\\.outputs\\.([a-zA-Z][a-zA-Z0-9_]*)"
         }
       ],
       "specialMask": "(?i)['\"]?token(_)?(key)?['\"]?\\s*[:=]\\s*"

assets/queries/common/passwords_and_secrets/test/negative56.bicep

@@ -0,0 +1,28 @@
+param systemName string
+param resourceName string
+param tags object
+param originUrl string
+
+module myModule '../AnotherModule/Resource.bicep' = {
+  name: '${resourceName}-MyModule'
+  params: {
+    systemName: systemName
+    resourceName: resourceName
+    tags: tags
+    apiUrl: originUrl
+  }
+}
+
+module clientModule '../ClientModule/Resource.bicep' = {
+  name: '${resourceName}-ClientModule'
+  params: {
+    systemName: systemName
+    resourceName: resourceName
+    tags: tags
+    validationToken: myModule.outputs.apiToken 
+  }
+}
+
+// Saída do módulo
+output clientUrl string = clientModule.outputs.clientUrl
+output clientName string = clientModule.outputs.clientName

assets/queries/common/passwords_and_secrets/test/negative57.bicep

@@ -0,0 +1,25 @@
+import { common, tagsObject, deployName, removeSpace } from '../../../CommonValues.bicep'
+
+@description('Nome do sistema')
+param systemName string
+
+@description('Nome do recurso')
+param resourceName string = removeSpace(systemName)
+
+@description('Enterprise Tagging object')
+param tags tagsObject
+
+resource kvTest 'Microsoft.KeyVault/vaults@2023-07-01' existing = {
+  name: 'kv-test-sample'
+  scope: resourceGroup('rg-test-sample')
+}
+
+module consumerModule '../SecretConsumer/Resource.bicep' = {
+  name: deployName(resourceName, 'Test.SecretConsumer', tags.lastReleaseId)
+  params: {
+    systemName: systemName
+    resourceName: resourceName
+    tags: tags
+    apiClientSecret: kvTest.getSecret('secret-sample') 
+  }
+}