You’re on the platform security team at a fintech processing millions of card transactions per day. Infrastructure-as-Code (IaC) changes (Terraform/CloudFormation-like text) are merged hundreds of times daily, and a single leaked credential in a commit can trigger incident response, regulatory reporting, and customer-impacting key rotation.
Before promoting changes to production, your CI pipeline runs a lightweight scanner over the IaC text to detect hardcoded secrets and unsafe interpolation patterns.
Implement a function that scans a list of IaC script lines and returns the 1-indexed line numbers that should be blocked.
A line is blocked if it contains either:
Hardcoded secret assignment: a key in {password, secret, token, api_key, private_key} (case-insensitive) is assigned a value using = or : where the value is a string literal:
password = "hunter2"api_key: 'AKIA...' password = var.db_passwordtoken = env.TOKENUnsafe interpolation inside a string literal: any string literal that contains ${ ... } where the inside expression contains a direct reference to one of the secret keys above (case-insensitive), e.g. ${token} or ${ user.token }.
# unless the # is inside a string literal." or \').Example 1
lines = [ "db_password = var.db_password", "password = \"hunter2\" # TODO rotate", "name = \"service-${token}\"" ][2, 3]password to a quoted literal → hardcoded secret.${token} inside a quoted string → unsafe interpolation.Example 2
lines = [ "# token = 'should_not_count'", "desc = \"literal with # not a comment\"", "api_key: env.API_KEY", "url = \"https://x/${user.api_key}/y\"" ][4]api_key but value is not a string literal → allowed.api_key inside ${...} within a string literal → blocked.1 <= len(lines) <= 2 * 10^5<= 2 * 10^6