Skip to main content

Generic Terraform Variable Secret



The Generic Terraform Variable Secret detector aims at catching any high entropy strings being assigned to a sensitive variable in Terraform files. This detector looks for an Input Variable with a sensitive name and a default value.


Input variables in Terraform files follow the pattern:

variable "{assigned_variable}" {
type = string
default = "{value}"

For this detector, the {assigned_variable} to find must contain one of the following words to be considered sensitive and therefore valid:

  • secret
  • token
  • api[_.-]?key
  • credential
  • auth
  • pass(word|wd|phrase)
  • pwd

Details for Generic Terraform Variable Secret

  • High Recall: False

  • Validity Check: False

  • Minimum Number of Matches: 1

  • Occurrences found for one million commits: 11

  • Prefixed: False

  • PreValidators:
    Here is a list of the validation steps the document must pass before being analyzed.

- type: FilenameWhitelistPreValidator
- tf
- tfvars
- type: ContentWhitelistPreValidator
- variable
- type: ContentWhitelistPreValidator
- default
- type: ContentWhitelistPreValidator
- (secret|token|(api|master)[_.-]?key|credential|auth)
- pass(word|wd|phrase)
- pwd

How can I help you ?