diff --git a/defaults/main.yml b/defaults/main.yml
index 3b8cd4a..3fe96c1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -361,7 +361,7 @@ rhel9cis_allow_autofs: false
 # DO NOT USE PLAIN TEXT PASSWORDS!!!!!
 # The intent here is to use a password utility like Ansible Vault here
 rhel9cis_rh_sub_user: user
-rhel9cis_rh_sub_password: password
+rhel9cis_rh_sub_password: password  # pragma: allowlist secret
 
 # 1.2.2
 # Do you require rhnsd
@@ -373,8 +373,8 @@ rhel9cis_rhel_default_repo: true
 rhel9cis_rule_enable_repogpg: true
 
 # 1.4.1 Bootloader password
-rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'
-rhel9cis_bootloader_password: random
+rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.10000.9306A36764A7BEA3BF492D1784396B27F52A71812E9955A58709F94EE70697F9BD5366F36E07DEC41B52279A056E2862A93E42069D7BBB08F5DFC2679CD43812.6C32ADA5449303AD5E67A4C150558592A05381331DE6B33463469A236871FA8E70738C6F9066091D877EF88A213C86825E093117F30E9E1BF158D0DB75E7581B'  # pragma: allowlist secret
+rhel9cis_bootloader_password: random  # pragma: allowlist secret
 rhel9cis_set_boot_pass: true
 
 # 1.8 Gnome Desktop
diff --git a/tasks/main.yml b/tasks/main.yml
index e1cd780..60f4fbc 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -35,7 +35,7 @@
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
         vars:
-            sudo_password_rule: rhel9cis_rule_5_3_4
+            sudo_password_rule: rhel9cis_rule_5_3_4  # pragma: allowlist secret
   when:
       - rhel9cis_rule_5_3_4
       - ansible_env.SUDO_USER is defined
@@ -107,7 +107,7 @@
 
 - name: Check rhel9cis_bootloader_password_hash variable has been changed
   ansible.builtin.assert:
-      that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
+      that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
       msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
   when:
       - rhel9cis_set_boot_pass