criticalsecurity
Exposed API Keys or Secrets
Detects hardcoded API keys, tokens, and secrets in your codebase that could be exploited by attackers.
Why This Is Bad
You left the keys to your house under the doormat. Hackers scan GitHub for these keys to steal your money and access your services.
How To Fix
1. Move this secret to a `.env.local` file 2. Use `process.env.KEY_NAME` to access it 3. Add `.env.local` to your `.gitignore` 4. Revoke and rotate the exposed key immediately
typescript
// Before (BAD)
const apiKey = "sk-abc123...";
// After (GOOD)
const apiKey = process.env.OPENAI_API_KEY;When You Pass This Check
Excellent work keeping your API keys hidden! Your secrets are safe.
Check If Your Repo Has This Issue
Our free scanner will detect this and 17 other common issues in your codebase.