Potential hardcoded secret¶

Rule ID	`hardcoded_secrets`
Category	security
Severity	critical

An environment variable name matches common secret patterns (API_KEY, TOKEN, PASSWORD, SECRET) and its value appears to be a literal string rather than a secret reference.

Detection¶

pattern_matching — Regex or keyword matching on string field values.

Examples¶

Non-compliant:

jobs:
  deploy:
    env:
      API_KEY: "sk-prod-abc123def456"
      DB_PASSWORD: "MyP@ssw0rd!"
    steps:
      - run: ./deploy.sh

Compliant:

jobs:
  deploy:
    env:
      API_KEY: ${{ secrets.API_KEY }}
      DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
    steps:
      - run: ./deploy.sh

Fix: Store secrets in GitHub repository or environment secrets and reference them with ${{ secrets.SECRET_NAME }}. Rotate any secrets that were previously hardcoded.