HashiCorp Cloud Platform
Risk Severity
While scanning a resource, if a risk is found Vault Radar will attempt to assign a severity to the risk in order to help users prioritize which risks to address first.
Risk Severity Definitions
Critical
This means the risk category is a some type of secret. The secret is active and additionally the secret is in the latest version of content within a resource or a secret manager.
High
This means the risk category is a some type of secret. The secret is active but the secret is NOT in the latest version of content within a resource.
It could also mean the risk category is a some type of secret. The activeness cannot be determined but it is in the latest version of a secret manager.
Medium
If none of the other conditions are met, the severity is set to medium by default.
Low
A risk can be tagged as low if the risk category is Personal Identifying Information (PII). Or the risk has certain tags (e.g., TagSecretInTestFile, TagSecretInExampleFile).
Info
A risk can be tagged as info if the risk category is Non Inclusive Language (NIL). Or the risk has certain tags (e.g., TagIgnoreRule, TagGoogleMapsApiKey, TagInactiveSecret).
Additionaly a risk will be marked as info if the risk category is AwsAccessKeyId and the risk is not active.