Selectively suppress Azure.Deployment.SecureParameter

[BernieWhite]

• Fix secretName from being detected as a secret value.
• Add a configuration option to support setting allowed parameter names that might generate a false positive.

Discussed in #2526

^{Originally posted by mderriey November 9, 2023}
Hi there 👋

Our CI picked up PSRule.Rules.Azure v1.31.0 and we get errors related to the new Azure.Deployment.SecureParameter rule.

Some of those errors are false-positive that we'd like to exclude, but we couldn't find out how to selectively do this.

For example, we have a Bicep template to store a secret in Key Vault:

param keyVaultName string = uniqueString('akv', resourceGroup().id)
param secretName string = 'ExampleSecret'
@secure()
param secretValue string = ''
param override bool = true

resource secret 'Microsoft.KeyVault/vaults/secrets@2019-09-01' = if (override) {
  name: '${keyVaultName}/${secretName}'
  properties: {
    attributes: {
      enabled: true
    }
    value: secretValue
  }
}

output secretUri string = secret.properties.secretUri
output secretUriWithVersion string = secret.properties.secretUriWithVersion

Here, the secretName param gets flagged, although it only represents the name of the secret, so it's not actually sensitive.

I was wondering if we could leverage a suppression group to selectively allow such cases?
Right now, the only solution we found is to disable the rule entirely, which is not ideal.

Another question is, I couldn't find documentation telling what sort of "input object" gets passed to the suppression group, which could help figure out how I could construct the spec.if object.
Is this documented somewhere, or is there a way to see the context passed to the suppression group through a PowerShell parameter to get a better sense of how we might do this?