HashiCorp Cloud Platform
Write inline ignore rules
Vault Radar supports adding inline ignore rules directly to your source
code for sensitive data instead of creating a global ignore
rule. You can add
an inline ignore rule to any line in your source code using the languages
standard comment character such as a #
in Python or //
in C++ followed by
HashiCorpIgnore
.
Note
HashiCorpIgnore
is not case sensitive, you can match it to your coding
standards.
Inline ignore rules are not supported when the sensitive data spans multiple lines.
Ignore rule behavior
When you add a ignore rule, Vault Radar still generates an event when it finds sensitive data during a scan. Any event that matches an ignore rule will have:
- Severity set to INFO.
- An Ignore rule flag added.
- State set to Not important.
HCL example
resource "aws_db_instance" "database" {
allocated_storage = 5
engine = "mysql"
instance_class = "db.t2.micro"
username = "admin"
password = "notasecurepassword" # HashiCorpIgnore
Python example
password = "notasecurepassword" # HashiCorpIgnore
Java example
String password = "notasecurepassword"; // HashiCorpIgnore
C++ example
string password = "notasecurepassword"; // HashiCorpIgnore
Go example
const password = "b3stp@stw00rd3vA!" // HashiCorpIgnore