Secret with a hardcoded fallback default
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A JWT/session/token secret is read from the environment but falls back to a hardcoded string literal when unset, so a misconfigured deploy silently signs tokens with a known value.
Why it matters
Reading a secret from the environment but falling back to a hardcoded literal when it is unset means a deploy that forgets to set the variable silently signs tokens or sessions with a value that is sitting in your source code. Attackers who read the repo know the fallback and can forge tokens against any environment that hit the default. The fallback removes the safety of failing loudly on misconfiguration.
How to fix it
Remove the literal fallback and fail fast when the secret is unset: throw at startup (Node) or raise (Python) so a misconfigured deploy stops instead of running with a known key. Keep real values only in your secret store, and list the variable name in .env.example. If a fallback existed in production, treat that literal as compromised and rotate it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo