HighFile-scopeRuby Plug & play

Externalize URLs and API keys to configuration

Read API URLs/keys from ENV/credentials and inject where needed; do not hardcode.

Why this matters

Supports multiple environments and keeps secrets out of code.

Side-by-side examples engineers can pattern-match during review.

Avoid

API_URL = "https://api.example.com"

Prefer

API_URL = ENV.fetch("API_URL")

Bad

KEY = "abcd"

Good

Rails.application.credentials.dig(:service, :key)

From the same buckets as this rule.

High
Add explicit environment variable checks
Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.
config-environmentcontainer-docker-hygiene+1
High
Encrypt PII at rest using application-layer crypto
Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)
compliance-gdprsecurity-hardening+1
High
Enforce retention with explicit TTL per data category
PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))
compliance-gdprprivacy-pii+2