Will It Vibe logoWill It Vibe?
CSHARP-012Medium severity-8 points

Real-looking secret committed in an environment-specific appsettings file

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

An appsettings.Development.json/appsettings.Local.json-style file holds what looks like a real API key, signing key, or password rather than a placeholder. These per-environment files are often assumed to be safe to commit and end up shipping live credentials.

Why it matters

Files like appsettings.Development.json or appsettings.Local.json are often assumed to be safe to commit because they are "just for local development," but a real API key, signing key, or password placed in one of them is exactly as exposed as if it were in appsettings.json: every clone of the repo and everyone with read access has it. These files are also easy to forget when auditing what is safe to commit, since attention usually goes to the production config first.

How to fix it

Replace the literal secret with a placeholder and move the real value into .NET user-secrets (dotnet user-secrets set) for local development, which keeps it outside the repository entirely. If the value was already committed, rotate it, since it must be treated as compromised regardless of how long it has been in history.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks