Cloud provider credential in a config file
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
An AWS access key id (AKIA/ASIA...), an AWS secret/session literal, or an Azure storage account key is written directly into a YAML/JSON/INI/TOML/env config file.
Why it matters
A cloud access key committed in a config file is a live credential the moment the repo is shared, forked, or scraped. Attackers watch public git hosts for AWS and Azure key formats and use found keys to spin up compute, read storage, or pivot into the account. Deleting the line later does not help, since the value stays in git history and the key stays valid until revoked.
How to fix it
Move the credential out of config and read it from the environment or a secret manager (AWS SSM/Secrets Manager, Azure Key Vault, or your host secret store). Locally, keep values in an untracked .env and commit only a .env.example with placeholder names. Then rotate the exposed key with the provider, because the committed value must be treated as compromised.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo