Home / BeaverDeck / Docs / Insights Guide / Security Insights / Sensitive Env Vars

Sensitive Env Vars

BeaverDeck uses this check to identify a specific security condition that may need operator review.

Permissions: viewing checks requires insights: view. Opening a linked object or logs requires the corresponding resource permission, and the BeaverDeck ServiceAccount must be allowed to read the Kubernetes resources used by the check. Suppressing a finding requires insights: edit and affects all users.

Check type	`sensitive-env-literal`
Insights section	Security Insights
Alert severity	Warning

When It Reports A Finding

An active init, application, or ephemeral container defines a non-empty literal environment value whose name contains PASSWORD, PASSWD, SECRET, TOKEN, API_KEY, PRIVATE_KEY, or ACCESS_KEY, case-insensitively.

Why This Is A Problem

Literal sensitive values are exposed in workload manifests and deployment tooling, making accidental disclosure and rotation harder to control.

Recommended Response

Move the value to a Secret reference or, preferably, use workload identity or an external secret provider where supported.
Rotate the credential if it has already been committed, logged, or broadly exposed.
Restrict access to the Secret and remove the literal from the owning workload and delivery configuration.

Scope And Limitations

Detection is a name-based wildcard heuristic and can produce false positives or miss poorly named credentials. Kubernetes Secret data is base64-encoded, not automatically encrypted at rest without cluster configuration.

After remediation: refresh Security Insights and verify the underlying resource or metric. Suppress the finding only when the condition is intentional and its risk is accepted.