HighFile-scopePHP Plug & play

Do Not Expose Sensitive Credentials in Source Code

Avoid hard‐coding credentials or sensitive information (like DB passwords, API tokens or secret keys) directly in your code. Use separate configuration files or environment variables to manage these values securely.

Add to Mesrai Open workspace

Why this matters

Embedded credentials can be accidentally exposed (e.g., in public repos), compromising system security. Storing them externally and referencing them securely prevents critical data leaks.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
$dbuser = 'admin';
$dbpass = 'secret123';
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

Prefer

<?php
$dbuser = getenv('DB_USER');
$dbpass = getenv('DB_PASS');
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

More snippets

Bad

<?php
$dbuser = 'admin';
$dbpass = 'secret123';
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

Good

<?php
$dbuser = getenv('DB_USER');
$dbpass = getenv('DB_PASS');
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

<?php
$dbuser = 'admin';
$dbpass = 'secret123';
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

Prefer

<?php
$dbuser = getenv('DB_USER');
$dbpass = getenv('DB_PASS');
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

More snippets

Bad

<?php
$dbuser = 'admin';
$dbpass = 'secret123';
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

Good

<?php
$dbuser = getenv('DB_USER');
$dbpass = getenv('DB_PASS');
$conn = new PDO('mysql:host=localhost;dbname=test', $dbuser, $dbpass);
?>

Related rules

From the same buckets as this rule.

Critical

Encrypt sensitive data at rest with KMS and rotate keys

Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.

compliance-soc2-essentialssecrets-credentials+1

Critical

Pulumi TS: secrets must use Config.requireSecret

In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.

infra-as-codesecrets-credentials+1

Critical

Use a secrets manager and 90-day rotation policy

All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.

compliance-soc2-essentialssecrets-credentials+1