diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index f4f0b9ce71c..630688666a0 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -18,10 +18,10 @@
     {
       "id": "3e2d3b2f-c22a-4df1-9cc6-a7a0aebb0c99",
       "name": "Generic Secret",
-      "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?",
+      "regex": "^(?i)['\"]?\\s*(\\w*_)?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?([A-Za-z0-9\/~^_!@&%()=?*+-]{10,})['\"]?",
       "entropies": [
         {
-          "group": 3,
+          "group": 4,
           "min": 2.8,
           "max": 8
         }
@@ -29,7 +29,7 @@
       "allowRules": [
         {
           "description": "Avoiding Square OAuth Secret",
-          "regex": "(?i)['\"]?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
+          "regex": "(?i)['\"]?\\s*(\\w*_)?secret[_]?(key)?['\"]?\\s*(:|=)\\s*['\"]?(sq0csp-[0-9A-Za-z\\-_]{43})['\"]?"
         }
       ]
     },
diff --git a/docs/secrets.md b/docs/secrets.md
index 2e27486fde8..b49d10b99bc 100644
--- a/docs/secrets.md
+++ b/docs/secrets.md
@@ -1,10 +1,12 @@
 ## Password and Secrets
-Being the only query written in Golang, it involves several rules to cover the maximum possible cases. These rules bases on regexes. 
+Being the only query written in Golang, it involves several rules to cover the maximum possible cases. These rules are based on regexes. The default rules can be found [here](https://github.com/Checkmarx/kics/blob/master/assets/queries/common/passwords_and_secrets/regex_rules.json).
 Each one is mainly composed of id, name and regex.
 
-Since there are cases where it is necessary to filter the results of these rules (i.e. cases to exclude), you can use **allowRules**. 
+Since there are cases where it is necessary to filter the results of these rules (i.e. cases to exclude), you can use **allowRules**.
 Basically, there are two types: **specific allowRules**, which is just applied to a specific rule and **generic allowRules**, which is applied to all rules.
 
+**NOTE:** Terraform variables will not be resolved. Password and Secrets query will scan and point directly to tfvars file.
+
 ```json
 {
   "rules": [
@@ -25,13 +27,13 @@ Basically, there are two types: **specific allowRules**, which is just applied t
             "description": "brief description about the cases to exclude",
             "regex": "golang flavor regex"
           }
-    ]  
+    ]
 }
 ```
 
 #### Example
 
-The present rule defines a pattern that finds generic tokens. 
+The present rule defines a pattern that finds generic tokens.
 Since, in Terraform, we can come across cases like `token_key = data.terraform_remote_state.rancher.outputs.token_key`, we can use a **specific allowRules** (Avoiding TF resource access) to exclude these cases.
 
 Moreover, to exclude scenarios like `automountServiceAccountToken: false`, we can use a **generic allowRules** (Avoiding Boolean's) to be applied not only in this rule but also in the remaining ones.
@@ -56,7 +58,7 @@ Moreover, to exclude scenarios like `automountServiceAccountToken: false`, we ca
             "description": "Avoiding Boolean's",
             "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*[=:]\\s*['\"]?(true|false)['\"]?"
           }
-   ] 
+   ]
 }
 ```
 
diff --git a/pkg/analyzer/analyzer.go b/pkg/analyzer/analyzer.go
index 0905a011658..0239ca99717 100644
--- a/pkg/analyzer/analyzer.go
+++ b/pkg/analyzer/analyzer.go
@@ -104,7 +104,7 @@ func worker(path string, results, unwanted chan<- string, wg *sync.WaitGroup) {
 	case ".dockerfile", "Dockerfile":
 		results <- "dockerfile"
 	// Terraform
-	case ".tf":
+	case ".tf", "tfvars":
 		results <- "terraform"
 	// Cloud Formation, Ansible, OpenAPI
 	case yaml, yml, ".json":
diff --git a/pkg/parser/terraform/terraform.go b/pkg/parser/terraform/terraform.go
index 3f8866bb6f5..bbe04403536 100644
--- a/pkg/parser/terraform/terraform.go
+++ b/pkg/parser/terraform/terraform.go
@@ -108,7 +108,7 @@ func (p *Parser) Parse(path string, content []byte) ([]model.Document, error) {
 
 // SupportedExtensions returns Terraform extensions
 func (p *Parser) SupportedExtensions() []string {
-	return []string{".tf"}
+	return []string{".tf", ".tfvars"}
 }
 
 // SupportedTypes returns types supported by this parser, which are terraform
diff --git a/pkg/parser/terraform/terraform_test.go b/pkg/parser/terraform/terraform_test.go
index a7a7d0ba531..12cf1f8b459 100644
--- a/pkg/parser/terraform/terraform_test.go
+++ b/pkg/parser/terraform/terraform_test.go
@@ -37,7 +37,7 @@ func TestParser_SupportedTypes(t *testing.T) {
 // TestParser_SupportedExtensions tests the functions [SupportedExtensions()] and all the methods called by them
 func TestParser_SupportedExtensions(t *testing.T) {
 	p := &Parser{}
-	require.Equal(t, []string{".tf"}, p.SupportedExtensions())
+	require.Equal(t, []string{".tf", ".tfvars"}, p.SupportedExtensions())
 }
 
 // Test_Parser tests the functions [Parser()] and all the methods called by them