Description

Identifies Azure Key Vault secrets that are enabled but do not have an expiration date configured. Secrets without expiration dates can remain valid indefinitely, increasing security risk if compromised and violating security best practices for secret rotation.

Detection Strategy

• Scans all secrets in Azure Key Vault instances

• Checks if the secret is currently enabled (attributes.enabled = true)

• Verifies if the secret has no expiration date set (attributes.expires is null/empty)

• Reports a vulnerability for each enabled secret that lacks an expiration date