sensitive-file/terraform-state

Terraform state

criticalSensitive filesensitive-file

What it detects

Terraform state files often contain decrypted secrets (DB passwords, IAM keys) alongside infra metadata.

Delete from repo, rotate any secrets referenced in the state, and configure a remote backend (S3 + DynamoDB, Terraform Cloud).

Path / basename / content-header match. No content body is stored — only the path.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.