diff --git a/assets/queries/common/passwords_and_secrets/regex_rules.json b/assets/queries/common/passwords_and_secrets/regex_rules.json
index 4620f0285cd..a1060714c79 100644
--- a/assets/queries/common/passwords_and_secrets/regex_rules.json
+++ b/assets/queries/common/passwords_and_secrets/regex_rules.json
@@ -402,6 +402,10 @@
       "description": "Avoiding TF variables",
       "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(var\\.)['\"]?"
     },
+    {
+      "description": "Avoiding TF local references",
+      "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*=\\s*['\"]?(local\\.[a-zA-Z_][a-zA-Z0-9_]*(\\.[a-zA-Z_][a-zA-Z0-9_]*|\\[[^\\]]+\\])*)['\"]?\\s*$"
+    },
     {
       "description": "!Ref is a cloudFormation reference",
       "regex": "(?i)['\"]?[a-zA-Z_]+['\"]?\\s*:\\s+!Ref\\s+\\.*"
diff --git a/assets/queries/common/passwords_and_secrets/test/negative60.tf b/assets/queries/common/passwords_and_secrets/test/negative60.tf
new file mode 100644
index 00000000000..5440744dba7
--- /dev/null
+++ b/assets/queries/common/passwords_and_secrets/test/negative60.tf
@@ -0,0 +1,15 @@
+locals {
+  rds_password = jsondecode(data.aws_secretsmanager_secret_version.rds_secrets.secret_string)["password"]
+}
+
+module "dummydb" {
+  source   = "terraform-aws-modules/rds/aws"
+  password = local.rds_password
+}
+
+module "orchestrator" {
+  source                              = "foo"
+  services_environment_variables      = local.services_environment_variables
+  services_environment_variables_ssm  = local.services_environment_variables_ssm
+  services_environment_variables_secret = local.services_environment_variables_secret
+}