BetaViberTest is in active development — expect breaking changes.
Overview
#016criticalDependencies & Config
Hardcoded Secrets
Detects API keys, tokens, passwords, and connection strings in source code.
Rule ID:
hardcoded-secretsExamples#
BadAPI keys and tokens in source code
// Hardcoded API keys
const STRIPE_KEY = 'sk_live_abc123def456';
const OPENAI_KEY = 'sk-proj-abc123def456';
const AWS_SECRET = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';
// Database connection with credentials
const DB_URL = 'postgresql://admin:p@ssw0rd@db.example.com:5432/prod';
// In a config object
const config = {
apiKey: 'AIzaSyB-abc123def456',
authDomain: 'myapp.firebaseapp.com',
};GoodEnvironment variables
// .env (NOT committed to git)
STRIPE_KEY=sk_live_abc123def456
DATABASE_URL=postgresql://admin:p@ssw0rd@db.example.com:5432/prod
// .env.example (committed — placeholder values)
STRIPE_KEY=sk_live_your_key_here
DATABASE_URL=postgresql://user:password@localhost:5432/mydb
// Source code — reads from environment
const stripeKey = process.env.STRIPE_KEY;
const dbUrl = process.env.DATABASE_URL;
// .gitignore
.env
.env.localWhat It Detects#
criticalAWS, GitHub, OpenAI, Stripe, or Slack tokens detected
Hardcoded {type} found in source code
Fix: Move to environment variables. Never commit secrets to version control.
criticalDatabase connection strings with credentials
Database connection string with credentials detected
Fix: Use DATABASE_URL environment variable.
criticalGeneric API key or password assignments
Hardcoded credential found
Fix: Move to .env file and add .env to .gitignore.
Exclusions#
The following are automatically excluded from this rule:
- Test files
- Mock/fixture files
- .example/.sample files
- .d.ts files
Configuration#
This rule is enabled by default. To disable it:
.vibertestrc.jsonjson
{
"rules": {
"hardcoded-secrets": {
"enabled": false
}
}
}