Potential hardcoded secret
==========================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``hardcoded_secrets``
   * - Category
     - security
   * - Severity
     - critical

An environment variable name matches common secret patterns (API_KEY, TOKEN, PASSWORD, SECRET) and its value appears to be a literal string rather than a secret reference.

Detection
---------

``pattern_matching`` — Regex or keyword matching on string field values.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     deploy:
       env:
         API_KEY: "sk-prod-abc123def456"
         DB_PASSWORD: "MyP@ssw0rd!"
       steps:
         - run: ./deploy.sh

**Compliant:**

.. code-block:: yaml

   jobs:
     deploy:
       env:
         API_KEY: ${{ secrets.API_KEY }}
         DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
       steps:
         - run: ./deploy.sh

**Fix**: Store secrets in GitHub repository or environment secrets and reference them with ${{ secrets.SECRET_NAME }}. Rotate any secrets that were previously hardcoded.