Secret data embedded in a manifest
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Secret manifest carries inline data or stringData in the repo. base64 in data is not encryption, so committing it exposes the value to anyone with repo access.
Why it matters
A Secret manifest with inline data or stringData stores the value in the repository. base64 in the data field is encoding, not encryption, so anyone with repo or manifest access can recover the plaintext. Committed secrets also linger in git history after they are edited out. This check is a heuristic, since some teams use encrypted-secret tooling that produces similar-looking files.
How to fix it
Move the value out of the manifest. Use an external secret store (Vault, AWS or GCP secret managers, or the External Secrets Operator) and reference it, or encrypt the manifest at rest with Sealed Secrets or SOPS so the plaintext is never committed. Rotate any secret that was previously committed, because it is in git history.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo