Terraform state file committed
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Terraform state file (.tfstate) is tracked in the repo. State stores resource attributes including generated passwords and keys in plaintext.
Why it matters
A Terraform state file records the attributes of every resource it manages, including generated passwords, private keys, and connection strings, in plaintext. Committing .tfstate exposes all of those secrets to anyone with repo access. It also causes state conflicts across collaborators.
How to fix it
Remove the state file from the repo (git rm) and add *.tfstate and *.tfstate.backup to .gitignore. Move state to a remote backend (S3 with encryption and locking, Terraform Cloud, or GCS). Rotate any secrets that the committed state exposed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo