Hardcoded secret in Terraform
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A password, token, or key is assigned a literal string in a .tf or .tfvars file. Anything committed here lands in version control and in the Terraform state, and applies to everyone who can read either.
Why it matters
A password, token, or key written as a literal string in a .tf or .tfvars file is committed to version control and also stored, in clear text, inside the Terraform state. Everyone with access to the repo or the state can read it, and removing it later does not undo the exposure. The value must be treated as compromised.
How to fix it
Move the secret out of the code: read it from a variable populated by the environment (TF_VAR_name) or, better, from a secrets manager via a data source (aws_secretsmanager_secret_version, Vault). Mark the variable sensitive = true. Rotate the exposed secret with its provider, and remember Terraform state still holds the old value, so also secure or re-key the state.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo