Will It Vibe logoWill It Vibe?
ENVCFG-002High severity-15 points

Real-looking secret value in a committed .env file

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

A password/secret/token/key variable in a tracked .env file holds a concrete high-entropy value instead of an interpolated reference or a placeholder, so the live credential is in source control.

Why it matters

A concrete password or token in a committed .env file is exposed to every collaborator, CI log, and anyone who clones a fork. .env files are meant to be untracked precisely because they hold live secrets. Once one is committed, the value is in history and should be considered leaked.

How to fix it

Untrack the file with git rm --cached, add .env and its variants to .gitignore, and keep only a .env.example with placeholder values. Load real values from your host secret store in production. Rotate every secret the file exposed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks