Generic Terraform Variable Secret

Description

General

The Generic Terraform Variable Secret detector aims at catching any high entropy strings being assigned to a sensitive variable in Terraform files. This detector looks for an Input Variable with a sensitive name and a default value.

Specifications

Input variables in Terraform files follow the pattern:

variable "{assigned_variable}" {
    type = string
    default = "{value}"
}

For this detector, the {assigned_variable} to find must contain one of the following words to be considered sensitive and therefore valid:

• secret
• token
• api[_.-]?key
• credential
• auth
• pass(word|wd|phrase)
• pwd

Details for Generic Terraform Variable Secret

• High Recall: False

• Validity Check: False

• Minimum Number of Matches: 1

• Occurrences found for one million commits: 11

• Prefixed: False

• PreValidators:
  Here is a list of the validation steps the document must pass before being analyzed.

- type: FilenameWhitelistPreValidator
  whitelist_extensions:
    - tf
    - tfvars
- type: ContentWhitelistPreValidator
  patterns:
    - variable
- type: ContentWhitelistPreValidator
  patterns:
    - default
- type: ContentWhitelistPreValidator
  patterns:
    - (secret|token|(api|master)[_.-]?key|credential|auth)
    - pass(word|wd|phrase)
    - pwd