HighFile-scope Plug & play

Treat suspicious hardcoded tokens/keys as secrets and move them to a secret store

Never hardcode credentials (API keys, tokens, private keys) in source code, configs, or tests. If a string looks like a credential based on context (variable name, header usage, auth flows), treat it as a secret even if it is not high-entropy. Move it to env/secret manager, rotate the credential if it may have leaked, and remove it from git history if necessary.

Add to Mesrai Open workspace

Why this matters

Hardcoded secrets are a common breach vector and often get copied into logs, client bundles, or forks.

Bad vs. good

Side-by-side examples engineers can pattern-match during review.

Avoid

const STRIPE_SECRET_KEY = "sk_live_..."; // committed

Prefer

const stripeKey = process.env.STRIPE_SECRET_KEY; assert(stripeKey); // injected via secrets manager

More snippets

Bad

Authorization: Bearer <hardcoded token>

Good

Read from env/secret manager; no secret literal in repo

Related rules

From the same buckets as this rule.

Critical
Encrypt sensitive data at rest with KMS and rotate keys
Use envelope encryption (AES-256-GCM) with cloud KMS-managed CMKs for databases, object storage, and backups. Rotate CMKs at least annually and rotate DEKs per object/file.
compliance-soc2-essentialssecrets-credentials+1
Critical
Pulumi TS: secrets must use Config.requireSecret
In Pulumi TypeScript programs, load sensitive values with new Config().requireSecret and pass as Secret<T>, never plain strings.
infra-as-codesecrets-credentials+1
Critical
Use a secrets manager and 90-day rotation policy
All credentials (API keys, DB passwords, tokens) must be stored in a secrets manager with automatic rotation ≤ 90 days; forbid hardcoded or .env-committed secrets via CI checks.
compliance-soc2-essentialssecrets-credentials+1

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Pulumi TS: secrets must use Config.requireSecret

Use a secrets manager and 90-day rotation policy

Why this matters

Bad vs. good

More snippets

Related rules

Encrypt sensitive data at rest with KMS and rotate keys

Pulumi TS: secrets must use Config.requireSecret

Use a secrets manager and 90-day rotation policy