Will It Vibe logoWill It Vibe?
FASTAPI-017High severity-15 points

Hardcoded fallback value for a secret environment variable

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

os.getenv/os.environ.get reads a secret-shaped variable (SECRET, PASSWORD, API_KEY, TOKEN, ...) with a literal string as the fallback, so that literal ships as a real, guessable credential whenever the variable is unset, which is exactly the failure mode of a deploy that forgets to set it.

Why it matters

os.getenv or os.environ.get on a secret-shaped variable name with a literal string as the fallback means that literal is a real, working credential the moment the environment variable is not set, whether that is a forgotten .env entry, a misconfigured deploy, or a fresh environment someone spun up for testing. Since the fallback lives in source control, anyone with repository access already knows it, and it silently becomes the actual secret in any environment that does not override it.

How to fix it

Remove the literal fallback and let a missing variable fail loudly instead: os.environ["SECRET_KEY"] raises KeyError if unset, which is much safer than quietly running with a known value. If you want a friendlier startup error, check for the variable explicitly at startup and raise a clear configuration error naming which variable is missing.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks