HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Write inline ignore rules

Vault Radar supports adding inline ignore rules directly to your source code for sensitive data instead of creating a global ignore rule. You can add an inline ignore rule to any line in your source code using the languages standard comment character such as a # in Python or // in C++ followed by HashiCorpIgnore.

Note

HashiCorpIgnore is not case sensitive, you can match it to your coding standards.

Inline ignore rules are not supported when the sensitive data spans multiple lines.

Ignore rule behavior

When you add a ignore rule, Vault Radar still generates an event when it finds sensitive data during a scan. Any event that matches an ignore rule will have:

  1. Severity set to INFO.
  2. An Ignore rule flag added.
  3. State set to Not important.

Vault Radar UI showing an event that matches an ignore rule

HCL example

resource "aws_db_instance" "database" {
  allocated_storage = 5
  engine            = "mysql"
  instance_class    = "db.t2.micro"
  username          = "admin"
  password          = "notasecurepassword" # HashiCorpIgnore

Python example

password = "notasecurepassword"  # HashiCorpIgnore

Java example

String password = "notasecurepassword"; // HashiCorpIgnore

C++ example

string password = "notasecurepassword"; // HashiCorpIgnore

Go example

const password = "b3stp@stw00rd3vA!" // HashiCorpIgnore
Edit this page on GitHub