## GitHub Security Alert: Infrastructure Secrets Manually Set, Bypassing Azure Key Vault Integration
A medium-severity security vulnerability has been flagged in a GitHub repository, exposing a critical lapse in secret management. The infrastructure deployment flow is currently reliant on manually setting sensitive API secrets directly within the Static Web App's application settings. This practice bypasses first-class integration with Azure Key Vault, creating a direct path for operational secret sprawl and significantly elevating the risk of accidental exposure.

The flaw is concretely located in the `infra/main.bicep` file, specifically lines 61-64 and 66-75. This configuration means secrets are not centrally managed, encrypted, or audited through a dedicated secret manager. Instead, they are embedded in deployment scripts and operator workflows, making them vulnerable to leaks during manual handling, script sharing, or insufficient access controls. The impact is a higher risk profile for secret rotation failures and a lack of enforceable lifecycle controls.

This vulnerability is categorized under OWASP A02:2021 - Cryptographic Failures. The explicit recommendation is to migrate to a secure pattern using managed identities and Key Vault references for runtime secret retrieval. Failure to implement this fix perpetuates an environment where secrets are not properly rotated, access is not governed by Role-Based Access Control (RBAC), and there is no centralized audit trail, leaving the entire deployment pipeline under constant, preventable scrutiny.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: Azure, Key Vault, Secret Management, DevSecOps, Infrastructure as Code
- **Credibility**: unverified
- **Published**: 2026-04-10 12:22:46
- **ID**: 58806
- **URL**: https://whisperx.ai/en/intel/58806