OTEL-035: Hardcoded secrets in extensions

Severity: deny (blocking)

Rule Details

Extensions such as basicauth, oauth2client, oidc, and bearertokenauth carry credentials. Writing those credentials inline in the config leaks them into git, into pod manifests, and into CI logs. augur scans the extensions: block — including one level of nesting for blocks like client_auth: — and blocks any secret-like field whose value is not an environment-variable reference.

This rule fires when an extension (or a nested sub-object inside an extension) has a secret-like field whose value is a plain string rather than ${env:VAR_NAME}.

Options

This rule has no options.

Examples

Incorrect

extensions:
  basicauth/server:
    htpasswd:
      inline: |
        admin:$2y$05$abcdefg              # literal secret
  oauth2client:
    client_auth:
      client_secret: "literal-client-secret"

Correct

extensions:
  basicauth/server:
    htpasswd:
      file: /etc/otel/htpasswd
  oauth2client:
    client_auth:
      client_secret: "${env:OAUTH_CLIENT_SECRET}"

When Not To Use It

Never. Treat extension credentials the same as exporter and receiver credentials — environment variables only.

OTEL-004 — no hardcoded secrets in exporters
OTEL-005 — no hardcoded secrets in receivers

Version

Available since augur v0.1.0.

Resources

Rule source: policy/main/security.rego

Rule Details​

Options​

Examples​

When Not To Use It​

Related Rules​

Version​

Further Reading​

Resources​

Rule Details

Options

Examples

When Not To Use It

Related Rules

Version

Further Reading

Resources