Will It Vibe logoWill It Vibe?
TF-027High severity-15 points

Cloud provider credential hardcoded in config

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A provider access_key, secret_key, or client_secret is set to a literal value instead of being read from the environment or a credential file, so the long-lived credential ends up in source control.

Why it matters

Setting a provider access_key, secret_key, or client_secret to a literal value hardcodes a long-lived cloud credential into the configuration, where it is committed to version control and copied into anyone clone. It also lands in the Terraform state. Static provider credentials in code are a direct route to account takeover if the repo or state is exposed.

How to fix it

Delete the inline credential and let the provider read from the standard sources: environment variables, a shared credentials or config file, or, best, an assumed role via OIDC or instance profile. For Azure, use a service principal from the environment or managed identity. Rotate the exposed credential, and move to short-lived role-based auth where possible.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks