Critiq Docs
Get started
security.secrets

Hardcoded API keys or credentials

Source files should not embed credential-like string literals.

#Metadata

Rule ID
security.no-hardcoded-credentials
Severity
critical
Confidence
0.95
Languages
go, java, javascript, php, python, ruby, rust, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
file
Tags
credentials, rules-catalog, secrets, security

#Why it matters

Hardcoded credentials are difficult to rotate and are easily leaked through source control.

#Remediation

Move the secret to a secure runtime secret store or environment-backed config path.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/shared/security.no-hardcoded-credentials.rule.yaml.

Back to registryOpen rule in repository