OTEL-037: Inline `key_pem` detected (use `key_file` instead)

Severity: warn (advisory)

Rule Details

tls.key_pem takes the contents of a private key directly in the config file — which usually means the PEM block ends up in git, in a container image layer, or in a Kubernetes ConfigMap. Use tls.key_file with a path instead and mount the key via a Secret, CSI driver, or a proper secret store.

This rule fires when any exporter or receiver protocol has tls.key_pem set.

Options

This rule has no options.

Examples

Avoid

exporters:
  otlp/backend:
    endpoint: backend:4317
    tls:
      cert_pem: |
        -----BEGIN CERTIFICATE-----
        ...
      key_pem: |                            # private key inlined
        -----BEGIN PRIVATE KEY-----
        ...

Prefer

exporters:
  otlp/backend:
    endpoint: backend:4317
    tls:
      cert_file: /etc/certs/client.crt
      key_file: /etc/certs/client.key

When Not To Use It

Never. Private key material should never sit in a config file — use an out-of-band secret store.

OTEL-004 — no hardcoded secrets in exporters
OTEL-005 — no hardcoded secrets in receivers
OTEL-031 — TLS min_version below 1.2
OTEL-032 — insecure_skip_verify enabled

Version

Available since augur v0.1.0.

Resources

Rule source: policy/main/security.rego

Rule Details​

Options​

Examples​

When Not To Use It​

Related Rules​

Version​

Further Reading​

Resources​

Rule Details

Options

Examples

When Not To Use It

Related Rules

Version

Further Reading

Resources