PyPI or pip upload credential in config
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A PyPI API token (pypi-...), a pip index URL with an inline user:password, or a password under a [pypi]/[distutils] section is committed, exposing the account used to publish packages.
Why it matters
A PyPI token or upload password committed in config exposes the account that publishes your Python packages. An attacker with it can push a trojaned release that installs on every consumer. Like other tokens, it remains valid and in git history until revoked.
How to fix it
Do not commit .pypirc or pip index URLs with inline credentials. Use PyPI trusted publishing (OIDC) from CI, or inject a scoped API token as a masked CI secret. Revoke the exposed token in your PyPI account and generate a new, project-scoped one.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo