HashiCorp Vault Service / Batch Token
Detects HashiCorp Vault service tokens (hvs. prefix) and batch tokens (hvb. prefix). These tokens authenticate to a Vault server and can read secrets, keys and credentials; a leak is a critical exposure.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: the distinctive hvs./hvb. prefix with a long high-entropy body makes false positives extremely unlikely.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth), Computer Fraud and Abuse Act, Computer Misuse Act 1990
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, SOC 2
- Data categories
- credentials, security
- Scope
- narrow
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Unsupported, Macie: Unsupported, Zscaler: Compatible, Palo Alto: Unsupported, Netskope: Unsupported
Pattern
(?<![A-Za-z0-9._-])hv[sb]\.[A-Za-z0-9._-]{60,120}(?![A-Za-z0-9._-])Corroborative evidence keywords
vault, hashicorp, vault token, VAULT_TOKEN, service token, batch token
Proximity: 300 characters
Should match
hvs.CAESIABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG— Vault service token, hvs. prefix + long bodyVAULT_TOKEN=hvb.0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcde— Labelled Vault batch token (hvb.) in env varhvs.aB3dE6gH9jK2mN5pQ8sTuVwXyZ0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx— Mixed-case Vault service token
Should not match
hvs.tooShort— Too short to be a Vault token bodyhvx.CAESIABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz0123456789ABCDEFG— Wrong middle letter (not s or b) - not a service/batch tokenrotate the hashicorp vault service token before the audit— Prose mention without a token value
Known false positives
- Long dotted identifiers that coincidentally begin with hvs. or hvb. in documentation. Mitigation: Require corroborative Vault keywords and exclude placeholder markers (example, xxxx).