Hardcoded secret in environment block
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A password/secret/token environment variable is assigned a literal value in the compose file instead of an interpolated variable or a compose secret, so the credential lives in source control.
Why it matters
A password, secret, or token written as a literal value in the compose file lives in source control, so everyone with repo access and every clone and CI log has it. Committed credentials are a common source of breaches, and rotating them later is easy to forget. Even a throwaway development password tends to get promoted to production.
How to fix it
Replace the literal with variable interpolation (${DB_PASSWORD}) and keep the real value in an untracked .env file or your host secret store, or use Compose secrets which mount the value as a file under /run/secrets instead of an environment variable. Add the variable name to a tracked .env.example with a placeholder, and rotate any secret that was already committed.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo