managing-secrets
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The file
scripts/setup_vault.shexecutes several high-privilege commands usingsudoto modify system-wide repository lists in/etc/apt/sources.list.d/and install the Vault binary. While this behavior is standard for a setup script, it involves privilege escalation that should be carefully reviewed before execution. - [EXTERNAL_DOWNLOADS] (LOW): The setup script downloads a GPG key from HashiCorp (
apt.releases.hashicorp.com) and adds Helm charts from the official HashiCorp and External Secrets repositories. Because HashiCorp is a trusted entity per the security policy, these findings are classified as low risk. - [CREDENTIALS_UNSAFE] (SAFE): Files such as
references/cloud-providers.mdandexamples/vault-eso-setup/external-secrets-operator.yamlcontain placeholder secrets (e.g., 'secret123', 'sk_live_EXAMPLE'). These are clearly marked as examples and do not represent a security risk.
Audit Metadata