Will It Vibe logoWill It Vibe?
ENVCFG-004Medium severity-8 points

Plaintext SMTP or mail credentials in config

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A mail server password is stored as a literal in config (an EMAIL_HOST_PASSWORD-style key or an smtp://user:pass@host URL), so anyone with the repo can send mail as your service.

Why it matters

A mail server password stored in config lets anyone with the repo send email through your account, which is commonly abused for phishing and spam that damages your sending reputation. Providers rarely alert on this, so abuse can run for a long time before it is noticed. The credential also stays in git history after removal.

How to fix it

Read the SMTP password from an environment variable and keep it in your host secret store, with a placeholder in .env.example. Rotate the exposed password with the mail provider. Where the provider supports it, use a scoped API key or app password rather than the account password.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks