Hardcoded Secrets

Hardcoded API keys (Stripe, AWS, Supabase, OpenAI, GitHub)

criticalSecuritysecrets

Why this matters

Hardcoded secrets end up in git history, build logs, and client bundles. Once pushed, rotating the key is the only fix — and attackers scan public repos continuously.

✗ Bad

const stripe = new Stripe(
  "sk_live_51abc123def456ghi789jkl"
);

✓ Good

const stripe = new Stripe(
  process.env.STRIPE_SECRET_KEY!
);

How to fix

Move all secrets to environment variables. Use a .env file locally (added to .gitignore) and your hosting provider's secret manager in production.

All rules