Problem
The task-runner managed identity has vault-wide Key Vault Secrets User role, allowing it to read controller-only secrets (e.g., jira-api-token, gitlab-token).
Proposed Fix
Use per-secret RBAC assignments when Azure supports it at GA, or restrict via Key Vault access policy scoping.
OWASP Category
- Broken Access Control (Medium)
Found during OWASP review of PR #294.
Problem
The task-runner managed identity has vault-wide
Key Vault Secrets Userrole, allowing it to read controller-only secrets (e.g.,jira-api-token,gitlab-token).Proposed Fix
Use per-secret RBAC assignments when Azure supports it at GA, or restrict via Key Vault access policy scoping.
OWASP Category
Found during OWASP review of PR #294.