OTEL-004: No hardcoded secrets in exporters

Severity: deny (blocking)

Rule Details

Hardcoded API keys, bearer tokens, passwords, or signed URLs inside exporter config end up in version control, in CI logs, and in shared configmaps. augur scans every string value under exporters whose key name looks secret-like (api_key, token, password, authorization, etc.) and blocks any value that is not a ${env:VAR_NAME} reference.

This rule fires when an exporter has a secret-like field whose value is a plain string rather than an environment variable reference.

Options

This rule has no options. The set of "secret-like" keys is maintained inside policy/lib.

Examples

Incorrect

exporters:
  otlp/vendor:
    endpoint: api.vendor.com:4317
    headers:
      api_key: "sk-hardcoded-secret"       # literal secret

Correct

exporters:
  otlp/vendor:
    endpoint: api.vendor.com:4317
    headers:
      api_key: "${env:VENDOR_API_KEY}"

When Not To Use It

Never. Even for local development, use a .env file and ${env:...} references so the habit scales and so the config file can be safely committed.

OTEL-005 — no hardcoded secrets in receivers
OTEL-035 — no hardcoded secrets in extensions

Version

Available since augur v0.1.0.

Resources

Rule source: policy/main/main.rego

Rule Details​

Options​

Examples​

When Not To Use It​

Related Rules​

Version​

Further Reading​

Resources​

Rule Details

Options

Examples

When Not To Use It

Related Rules

Version

Further Reading

Resources