Will It Vibe?
ARCH-002Medium severity-8 points

No environment-based configuration

Part of Architecture & Best Practices, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A backend-looking project never reads from environment variables, suggesting config/secrets are hardcoded.

Why it matters

If a backend never reads environment variables, its ports, URLs, and credentials are baked into the code, so every deploy target runs with the same settings unless someone edits source. That is how dev databases end up serving production traffic and how secrets get committed. It also means no config change without a redeploy.

How to fix it

Introduce environment-based config: in Node, read process.env (Next.js loads .env files natively, plain Node can use dotenv); in Python, use os.environ or os.getenv, optionally through pydantic-settings or python-dotenv. Centralize the reads in one config module that validates required values at startup and exports typed settings. Move ports, URLs, database strings, and secrets there, and commit a .env.example listing the names.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Architecture & Best Practices checks