Will It Vibe logoWill It Vibe?
GO-005Medium severity-8 points

Hardcoded credential-shaped literal

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A const or var whose name looks like an API key, secret, token, or password is assigned a literal string in a .go file, so the credential lives in source control for anyone with repository access.

Why it matters

A credential written as a literal string in a .go file is committed to version control the moment the file is committed: every clone, fork, and CI log has it, and removing it later requires rotating the credential, not just deleting the line, because history still holds the old commit. This is one of the most common ways real API keys and tokens end up exposed on public and private repositories alike.

How to fix it

Move the value out of source into an environment variable or a secret manager (Vault, AWS Secrets Manager, a Kubernetes Secret), and read it at startup with os.Getenv or your secret-manager client, failing fast if it is missing. Rotate the credential that was committed, since it must be treated as compromised regardless of whether the repository is private.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks