diff --git a/code/go/internal/validator/spec.go b/code/go/internal/validator/spec.go
index 5929c29ff..3c33ba14b 100644
--- a/code/go/internal/validator/spec.go
+++ b/code/go/internal/validator/spec.go
@@ -107,6 +107,7 @@ func processErrors(errs specerrors.ValidationErrors) specerrors.ValidationErrors
 		new      string
 	}{
 		{"Must not validate the schema (not)", "Must not be present"},
+		{"secret is required", "variable identified as possible secret, secret parameter required to be set to true or false"},
 	}
 	redundant := []string{
 		"Must validate \"then\" as \"if\" was valid",
@@ -118,18 +119,15 @@ func processErrors(errs specerrors.ValidationErrors) specerrors.ValidationErrors
 	for _, e := range errs {
 		for _, msg := range msgTransforms {
 			if strings.Contains(e.Error(), msg.original) {
-				processedErrs = append(processedErrs,
-					specerrors.NewStructuredError(
-						errors.New(strings.Replace(e.Error(), msg.original, msg.new, 1)),
-						specerrors.UnassignedCode),
-				)
-				continue
+				e = specerrors.NewStructuredError(
+					errors.New(strings.Replace(e.Error(), msg.original, msg.new, 1)),
+					specerrors.UnassignedCode)
 			}
-			if substringInSlice(e.Error(), redundant) {
-				continue
-			}
-			processedErrs = append(processedErrs, e)
 		}
+		if substringInSlice(e.Error(), redundant) {
+			continue
+		}
+		processedErrs = append(processedErrs, e)
 	}
 
 	return processedErrs
diff --git a/code/go/pkg/validator/validator_test.go b/code/go/pkg/validator/validator_test.go
index ceacec600..ec4a820fc 100644
--- a/code/go/pkg/validator/validator_test.go
+++ b/code/go/pkg/validator/validator_test.go
@@ -193,6 +193,13 @@ func TestValidateFile(t *testing.T) {
 				"field vars.0: Additional property secret is not allowed",
 			},
 		},
+		"bad_secret_vars_v3": {
+			"manifest.yml",
+			[]string{
+				"field vars.0: variable identified as possible secret, secret parameter required to be set to true or false",
+				"field vars.1: variable identified as possible secret, secret parameter required to be set to true or false",
+			},
+		},
 		"bad_lifecycle": {
 			"data_stream/test/lifecycle.yml",
 			[]string{
@@ -250,8 +257,13 @@ func TestValidateFile(t *testing.T) {
 
 	filter := specerrors.NewFilter(&specerrors.ConfigFilter{
 		Errors: specerrors.Processors{
-			// TODO: Actually fix the references instead of ignoring the error.
-			ExcludeChecks: []string{"SVR00004"},
+			ExcludeChecks: []string{
+				// Allow to test unreleased features in "good" packages.
+				"PSR00001",
+
+				// TODO: Actually fix the references instead of ignoring the error.
+				"SVR00004",
+			},
 		},
 	})
 
diff --git a/spec/changelog.yml b/spec/changelog.yml
index b4f603baf..5c2a1a94e 100644
--- a/spec/changelog.yml
+++ b/spec/changelog.yml
@@ -10,6 +10,9 @@
   - description: Add parquet files in terraform service deployer
     type: enhancement
     link: https://github.com/elastic/package-spec/pull/662
+  - description: Require to define if a variable is a secret if it looks like a secret
+    type: enhancement
+    link: https://github.com/elastic/package-spec/pull/665
 - version: 3.0.1
   changes:
   - description: Using non-GA versions of the spec in GA packages produces a filterable validation error instead of a warning
diff --git a/spec/integration/data_stream/manifest.spec.yml b/spec/integration/data_stream/manifest.spec.yml
index ee103799b..d104adad0 100644
--- a/spec/integration/data_stream/manifest.spec.yml
+++ b/spec/integration/data_stream/manifest.spec.yml
@@ -115,39 +115,51 @@ spec:
           default:
             description: Default value(s) for variable
             $ref: "#/definitions/input_variable_value"
-        if:
-          properties:
-            type:
-              const: select
-        then:
-          required:
-            - options
-          properties:
-            options:
-              description: List of options for select type
-              type: array
-              items:
-                type: object
-                additionalProperties: false
-                properties:
-                  value:
-                    type: string
-                    examples:
-                    - node
-                    - cluster
-                  text:
-                    type: string
-                    examples:
-                    - node
-                    - cluster
-                required:
-                - value
-                - text
-              min_items: 1
-        else:
-          not:
-            required:
-              - options
+        allOf:
+         - if:
+             properties:
+               type:
+                 const: select
+           then:
+             required:
+               - options
+             properties:
+               options:
+                 description: List of options for select type
+                 type: array
+                 items:
+                   type: object
+                   additionalProperties: false
+                   properties:
+                     value:
+                       type: string
+                       examples:
+                       - node
+                       - cluster
+                     text:
+                       type: string
+                       examples:
+                       - node
+                       - cluster
+                   required:
+                   - value
+                   - text
+                 min_items: 1
+           else:
+             not:
+               required:
+                 - options
+         - if:
+             anyOf:
+               - properties:
+                   name:
+                     pattern: "(password|api_key|access_key|token)"
+               - properties:
+                   type:
+                     const: password
+           then:
+             required:
+               - secret
         required:
           - name
           - type
@@ -494,6 +506,11 @@ spec:
   - title
 # JSON patches for newer versions should be placed on top
 versions:
+  - before: 3.0.2
+    patch:
+      # Required secret for variables that look like secrets.
+      - op: remove
+        path: /definitions/vars/items/allOf/1
   - before: 3.0.0
     patch:
       # Stricter validation of elasticsearch settings and mappings.
diff --git a/test/packages/bad_secret_vars_v3/LICENSE.txt b/test/packages/bad_secret_vars_v3/LICENSE.txt
new file mode 100644
index 000000000..809108b85
--- /dev/null
+++ b/test/packages/bad_secret_vars_v3/LICENSE.txt
@@ -0,0 +1,93 @@
+Elastic License 2.0
+
+URL: https://www.elastic.co/licensing/elastic-license
+
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject to
+the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set of
+the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. Any use of the licensor’s trademarks is subject
+to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license for
+the software granted under these terms ends immediately. If your company makes
+such a claim, your patent license ends immediately for work on behalf of your
+company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from you
+also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license no
+later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your licenses
+to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is the
+software the licensor makes available under these terms, including any portion
+of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that
+organization. **control** means ownership of substantially all the assets of an
+entity, or the power to direct its management and policies by vote, contract, or
+otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under
+these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
diff --git a/test/packages/bad_secret_vars_v3/changelog.yml b/test/packages/bad_secret_vars_v3/changelog.yml
new file mode 100644
index 000000000..bb0320a52
--- /dev/null
+++ b/test/packages/bad_secret_vars_v3/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.0.1"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link
diff --git a/test/packages/bad_secret_vars_v3/docs/README.md b/test/packages/bad_secret_vars_v3/docs/README.md
new file mode 100644
index 000000000..0788220aa
--- /dev/null
+++ b/test/packages/bad_secret_vars_v3/docs/README.md
@@ -0,0 +1,84 @@
+<!-- Use this template language as a starting point, replacing {placeholder text} with details about the integration. -->
+<!-- Find more detailed documentation guidelines in https://github.com/elastic/integrations/blob/main/docs/documentation_guidelines.md -->
+
+# Bad Select Vars
+
+<!-- The Bad Select Vars integration allows you to monitor {name of service}. {name of service} is {describe service}.
+
+Use the Bad Select Vars integration to {purpose}. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference {data stream type} when troubleshooting an issue.
+
+For example, if you wanted to {sample use case} you could {action}. Then you can {visualize|alert|troubleshoot} by {action}. -->
+
+## Data streams
+
+<!-- The Bad Select Vars integration collects {one|two} type{s} of data streams: {logs and/or metrics}. -->
+
+<!-- If applicable -->
+<!-- **Logs** help you keep a record of events happening in {service}.
+Log data streams collected by the {name} integration include {sample data stream(s)} and more. See more details in the [Logs](#logs-reference). -->
+
+<!-- If applicable -->
+<!-- **Metrics** give you insight into the state of {service}.
+Metric data streams collected by the {name} integration include {sample data stream(s)} and more. See more details in the [Metrics](#metrics-reference). -->
+
+<!-- Optional: Any additional notes on data streams -->
+
+## Requirements
+
+You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
+You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
+
+<!--
+	Optional: Other requirements including:
+	* System compatibility
+	* Supported versions of third-party products
+	* Permissions needed
+	* Anything else that could block a user from successfully using the integration
+-->
+
+## Setup
+
+<!-- Any prerequisite instructions -->
+
+For step-by-step instructions on how to set up an integration, see the
+[Getting started](https://www.elastic.co/guide/en/welcome-to-elastic/current/getting-started-observability.html) guide.
+
+<!-- Additional set up instructions -->
+
+<!-- If applicable -->
+<!-- ## Logs reference -->
+
+<!-- Repeat for each data stream of the current type -->
+<!-- ### {Data stream name}
+
+The `{data stream name}` data stream provides events from {source} of the following types: {list types}. -->
+
+<!-- Optional -->
+<!-- #### Example
+
+An example event for `{data stream name}` looks as following:
+
+{code block with example} -->
+
+<!-- #### Exported fields
+
+{insert table} -->
+
+<!-- If applicable -->
+<!-- ## Metrics reference -->
+
+<!-- Repeat for each data stream of the current type -->
+<!-- ### {Data stream name}
+
+The `{data stream name}` data stream provides events from {source} of the following types: {list types}. -->
+
+<!-- Optional -->
+<!-- #### Example
+
+An example event for `{data stream name}` looks as following:
+
+{code block with example} -->
+
+<!-- #### Exported fields
+
+{insert table} -->
\ No newline at end of file
diff --git a/test/packages/bad_secret_vars_v3/img/sample-logo.svg b/test/packages/bad_secret_vars_v3/img/sample-logo.svg
new file mode 100644
index 000000000..6268dd88f
--- /dev/null
+++ b/test/packages/bad_secret_vars_v3/img/sample-logo.svg
@@ -0,0 +1 @@
+<svg width="32" height="32" fill="none" viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg" class="euiIcon euiIcon--xxLarge" focusable="false" role="img" aria-hidden="true"><path fill="#FFF" d="M32 16.77a6.334 6.334 0 00-1.14-3.641 6.298 6.298 0 00-3.02-2.32 9.098 9.098 0 00-.873-5.965A9.05 9.05 0 0022.56.746a9.007 9.007 0 00-5.994-.419 9.037 9.037 0 00-4.93 3.446 4.789 4.789 0 00-5.78-.07A4.833 4.833 0 004.198 9.26a6.384 6.384 0 00-3.035 2.33A6.42 6.42 0 000 15.242 6.341 6.341 0 001.145 18.9a6.305 6.305 0 003.039 2.321 9.334 9.334 0 00-.16 1.725 9.067 9.067 0 001.727 5.333 9.014 9.014 0 004.526 3.287 8.982 8.982 0 005.587-.023 9.016 9.016 0 004.5-3.322 4.789 4.789 0 005.77.074 4.833 4.833 0 001.672-5.542 6.383 6.383 0 003.032-2.331A6.419 6.419 0 0032 16.77z"></path><path fill="#FEC514" d="M12.58 13.787l7.002 3.211 7.066-6.213a7.854 7.854 0 00.152-1.557 7.944 7.944 0 00-1.54-4.704 7.897 7.897 0 00-4.02-2.869 7.87 7.87 0 00-4.932.086 7.9 7.9 0 00-3.92 3.007l-1.174 6.118 1.367 2.92z"></path><path fill="#00BFB3" d="M5.333 21.228A7.964 7.964 0 006.72 27.53a7.918 7.918 0 004.04 2.874 7.89 7.89 0 004.95-.097 7.921 7.921 0 003.926-3.03l1.166-6.102-1.555-2.985-7.03-3.211-6.885 6.248z"></path><path fill="#F04E98" d="M5.288 9.067l4.8 1.137L11.14 4.73a3.785 3.785 0 00-4.538-.023A3.82 3.82 0 005.29 9.065"></path><path fill="#1BA9F5" d="M4.872 10.214a5.294 5.294 0 00-2.595 1.882 5.324 5.324 0 00-.142 6.124 5.287 5.287 0 002.505 2l6.733-6.101-1.235-2.65-5.266-1.255z"></path><path fill="#93C90E" d="M20.873 27.277a3.737 3.737 0 002.285.785 3.783 3.783 0 003.101-1.63 3.813 3.813 0 00.451-3.484l-4.8-1.125-1.037 5.454z"></path><path fill="#07C" d="M21.848 20.563l5.28 1.238a5.34 5.34 0 002.622-1.938 5.37 5.37 0 001.013-3.106 5.312 5.312 0 00-.936-3.01 5.283 5.283 0 00-2.475-1.944l-6.904 6.07 1.4 2.69z"></path></svg>
\ No newline at end of file
diff --git a/test/packages/bad_secret_vars_v3/img/sample-screenshot.png b/test/packages/bad_secret_vars_v3/img/sample-screenshot.png
new file mode 100644
index 000000000..d7a56a3ec
Binary files /dev/null and b/test/packages/bad_secret_vars_v3/img/sample-screenshot.png differ
diff --git a/test/packages/bad_secret_vars_v3/manifest.yml b/test/packages/bad_secret_vars_v3/manifest.yml
new file mode 100644
index 000000000..5183600b4
--- /dev/null
+++ b/test/packages/bad_secret_vars_v3/manifest.yml
@@ -0,0 +1,44 @@
+format_version: 3.0.2
+name: bad_secret_vars_v3
+title: "Bad Select Vars"
+version: 0.0.1
+source:
+  license: "Elastic-2.0"
+description: "Invalid test package with secret vars"
+type: integration
+categories:
+  - custom
+conditions:
+  kibana:
+    version: "^8.6.2"
+  elastic:
+    subscription: "basic"
+vars:
+  - name: package_secret_by_type
+    type: password
+    title: Package Level Secret
+    show_user: true
+  - name: package_api_key
+    type: text
+    title: Package API Key
+screenshots:
+  - src: /img/sample-screenshot.png
+    title: Sample screenshot
+    size: 600x600
+    type: image/png
+icons:
+  - src: /img/sample-logo.svg
+    title: Sample logo
+    size: 32x32
+    type: image/svg+xml
+policy_templates:
+  - name: sample
+    title: Sample logs
+    description: Collect sample logs
+    inputs:
+      - type: logfile
+        title: Collect sample logs from instances
+        description: Collecting sample logs
+owner:
+  type: elastic
+  github: elastic/ecosystem
diff --git a/test/packages/good_v3/manifest.yml b/test/packages/good_v3/manifest.yml
index 4c22464c2..1e33ff455 100644
--- a/test/packages/good_v3/manifest.yml
+++ b/test/packages/good_v3/manifest.yml
@@ -1,4 +1,4 @@
-format_version: 3.0.0
+format_version: 3.0.2
 name: good_v3
 title: Good package
 description: This package is good for format version 3