Risk Severity

While scanning a resource, if a risk is found Vault Radar will attempt to assign a severity to the risk in order to help users prioritize which risks to address first.

Risk Severity Definitions

Critical

This means the risk category is a some type of secret. The secret is active and additionally the secret is in the latest version of content within a resource or a secret manager.

High

This means the risk category is a some type of secret. The secret is active but the secret is NOT in the latest version of content within a resource.

It could also mean the risk category is a some type of secret. The activeness cannot be determined but it is in the latest version of a secret manager.

Medium

If none of the other conditions are met, the severity is set to medium by default.

Low

A risk can be tagged as low if the risk category is Personal Identifying Information (PII). Or the risk has certain tags (e.g., TagSecretInTestFile, TagSecretInExampleFile).

Info

A risk can be tagged as info if the risk category is Non Inclusive Language (NIL). Or the risk has certain tags (e.g., TagIgnoreRule, TagGoogleMapsApiKey, TagInactiveSecret).

Additionaly a risk will be marked as info if the risk category is AwsAccessKeyId and the risk is not active.