IaC Secrets in Terraform and Azure CSCfg
Detects secrets embedded in Infrastructure as Code files including Terraform/HCL variable assignments and Azure Cloud Service configuration (.cscfg) XML settings. Mirrors Snaffler rule KeepInfraAsCodeByExtension.
- Type
- regex
- Engine
- boost_regex
- Confidence
- high
- Confidence justification
- High confidence: the combination of secret-bearing key names and non-empty quoted values in IaC contexts is highly specific to credential assignments. Non-secret HCL assignments (region, version, count) do not match because their key names are not in the keyword list.
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF
- Data categories
- credentials
- Scope
- specific
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Degraded, Netskope: Unsupported
Pattern
(?i)(?:password|secret|access_key|api_key|token)\s*=\s*"[^"]{6,256}"Corroborative evidence keywords
terraform, provider, variable, <ServiceConfiguration, <Role
Proximity: 300 characters
Should match
db_password = "Sup3rS3cret!"— HCL tfvars password assignmentapi_key = "exampleApiKeyPlaceholder123"— HCL API key assignment<Setting name="StorageKey" value="abc123def456ghi789jkl012" />— Azure cscfg secret setting<Setting name="ApiToken" value="abc123def456ghi789jkl012" />— Azure cscfg setting with token in name (Snaffler parity)
Should not match
region = "ap-southeast-2"— Non-secret HCL assignment, key name not in keyword list<Setting name="MaxRetries" value="3" />— Non-secret cscfg setting with value under 6 chars
Known false positives
- Terraform example or tutorial files showing variable assignment syntax with illustrative but non-sensitive values using the target key names. Mitigation: Require proximity to IaC-specific keywords (terraform, provider, ServiceConfiguration) to confirm IaC file context. Template exclusion catches example/placeholder markers.
- Application configuration files that use password or token as part of a larger non-credential key name such as password_policy or token_expiry. Mitigation: The regex anchors on the full key name followed immediately by = and a quoted value, limiting spurious matches from compound key names.