You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
README provides multiple examples: basic usage with token, and a version-specific installation example. Both show sensible defaults and cover the major configuration modes (with/without namespace, version specification).
Coder-context framing
8
1
Opening sentence mentions "in your Coder workspaces" but does not explain what the module adds on top of Coder or show where Coder fits in the Vault authentication flow. No explanation of how this integrates with Coder's agent architecture.
Visual preview
5
0
No image, GIF, or video present. Only an icon reference in frontmatter.
Credential Hygiene — 18 / 20
Criterion
Max
Score
Notes
Secrets marked sensitive
16
14
The vault_token variable is marked sensitive = true in main.tf. However, README examples show vault_token = var.token which references another variable, creating ambiguity about whether secrets are being handled properly in the examples. Not a direct inline secret but not perfectly clear either.
Non-hardcoded auth path
4
4
README Configuration section documents creating a Vault token with appropriate policies using vault token create, which is a proper token-based auth path rather than hardcoded keys.
Restricted-Environment Readiness — 7 / 20
Criterion
Max
Score
Notes
Mirrorable artifact source
10
0
The run.sh script hardcodes https://releases.hashicorp.com/vault/ for downloads. No module input variable exists to override this URL. The vault_cli_version variable only controls which version is fetched, not the source URL.
Bring-your-own binary
5
5
The run.sh script checks if command -v vault and skips installation if the correct version is already present: "Vault version X is already installed and up-to-date." This allows pre-baked images to avoid download.
Egress transparency
3
0
No dedicated README section for network requirements, air-gapped environments, or external endpoints. The https://releases.hashicorp.com endpoint is only visible in source code.
Runs without sudo
2
2
The run.sh script attempts sudo mv vault /usr/local/bin/vault but has a fallback: if sudo fails, it moves to ~/.local/bin/vault instead and prints a PATH message. Core functionality works without sudo via the fallback path.
Engineering Quality — 8 / 10
Criterion
Max
Score
Notes
Input quality
6
6
All inputs have clear descriptions. Sensible defaults provided (vault_token and vault_namespace default to null, vault_cli_version defaults to "latest"). The vault_cli_version includes validation with regex pattern for version format.
Test coverage
4
2
main.test.ts exists and runs runTerraformInit and testRequiredVariables for basic validation. However, no .tftest.hcl file present, and the TypeScript test only covers initialization and required variables, not business logic or end-to-end behavior like installation or token handling.
Overall — 61 / 100
Raw 46 / 75 → round(46 / 75 × 100) = 61
Scored against SCORECARD.md on 2026-07-15 with claude-sonnet-4-5.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
A discussion dedicated to the Hashicorp Vault Integration (Token) module. Share your thoughts, questions, and feedback here.
Module Scorecard
Drilldown
Presentation & Onboarding — 13 / 25
Credential Hygiene — 18 / 20
vault_tokenvariable is markedsensitive = truein main.tf. However, README examples showvault_token = var.tokenwhich references another variable, creating ambiguity about whether secrets are being handled properly in the examples. Not a direct inline secret but not perfectly clear either.vault token create, which is a proper token-based auth path rather than hardcoded keys.Restricted-Environment Readiness — 7 / 20
https://releases.hashicorp.com/vault/for downloads. No module input variable exists to override this URL. Thevault_cli_versionvariable only controls which version is fetched, not the source URL.if command -v vaultand skips installation if the correct version is already present: "Vault version X is already installed and up-to-date." This allows pre-baked images to avoid download.https://releases.hashicorp.comendpoint is only visible in source code.sudo mv vault /usr/local/bin/vaultbut has a fallback: if sudo fails, it moves to~/.local/bin/vaultinstead and prints a PATH message. Core functionality works without sudo via the fallback path.Engineering Quality — 8 / 10
vault_tokenandvault_namespacedefault to null,vault_cli_versiondefaults to "latest"). Thevault_cli_versionincludes validation with regex pattern for version format.runTerraformInitandtestRequiredVariablesfor basic validation. However, no .tftest.hcl file present, and the TypeScript test only covers initialization and required variables, not business logic or end-to-end behavior like installation or token handling.Overall — 61 / 100
Raw 46 / 75 → round(46 / 75 × 100) = 61
Scored against SCORECARD.md on 2026-07-15 with
claude-sonnet-4-5.Beta Was this translation helpful? Give feedback.
All reactions