HardcodeSecrets [anti-pattern] v0.1.0

Embedding API keys, database passwords, signing keys, or other secrets directly in the source repository, in tracked config files (config.yml, application.properties, secrets.json), in Dockerfile ENV directives, or in CI variables stored as plaintext.

Label

Hardcoding secrets in source, config files, or container images

Why Bad

Repositories leak — to forks, mirrors, build artefacts, log lines, screenshots, accidental public visibility, ex-employee laptops. Once a secret is in git history it lives forever; rewriting history doesn't help once it's been cloned. Bots scan public GitHub continuously and exploit leaked AWS keys within minutes.

Instead Do

    1. Remove the secret. Don't 'fix it later'.
    2. Rotate the secret immediately on the originating system. Treat
       any committed secret as compromised, even if the commit was
       reverted within seconds.
    3. Replace the read with a runtime fetch from the secrets manager.
    4. Add a pre-commit secret scanner (gitleaks, ggshield, trufflehog)
       so the next attempt is caught before push.

    For a true 'config + secret' separation: config in repo, secret in
    vault, application combines them at startup.
  

HardcodeSecrets [anti-pattern] v0.1.0

Embedding API keys, database passwords, signing keys, or other secrets directly in the source repository, in tracked config files (config.yml, application.properties, secrets.json), in Dockerfile ENV directives, or in CI variables stored as plaintext.

Label

Hardcoding secrets in source, config files, or container images

Why Bad

Repositories leak — to forks, mirrors, build artefacts, log lines, screenshots, accidental public visibility, ex-employee laptops. Once a secret is in git history it lives forever; rewriting history doesn't help once it's been cloned. Bots scan public GitHub continuously and exploit leaked AWS keys within minutes.

Instead Do

    1. Remove the secret. Don't 'fix it later'.
    2. Rotate the secret immediately on the originating system. Treat
       any committed secret as compromised, even if the commit was
       reverted within seconds.
    3. Replace the read with a runtime fetch from the secrets manager.
    4. Add a pre-commit secret scanner (gitleaks, ggshield, trufflehog)
       so the next attempt is caught before push.

    For a true 'config + secret' separation: config in repo, secret in
    vault, application combines them at startup.
  

Label

Hardcoding secrets in source, config files, or container images

Why Bad

Repositories leak — to forks, mirrors, build artefacts, log lines, screenshots, accidental public visibility, ex-employee laptops. Once a secret is in git history it lives forever; rewriting history doesn't help once it's been cloned. Bots scan public GitHub continuously and exploit leaked AWS keys within minutes.

Instead Do

    1. Remove the secret. Don't 'fix it later'.
    2. Rotate the secret immediately on the originating system. Treat
       any committed secret as compromised, even if the commit was
       reverted within seconds.
    3. Replace the read with a runtime fetch from the secrets manager.
    4. Add a pre-commit secret scanner (gitleaks, ggshield, trufflehog)
       so the next attempt is caught before push.

    For a true 'config + secret' separation: config in repo, secret in
    vault, application combines them at startup.