Will It Vibe logoWill It Vibe?
LARAVEL-010Medium severity-8 points

Hardcoded secret literal in a config/*.php file

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A key/secret/token/password entry in a config/*.php file is a literal string instead of an env() call. Laravel's convention is that config files read secrets from the environment; a literal here means the value is committed to source control and shared by every environment that deploys this code unchanged.

Why it matters

A literal key, secret, token, or password value in a config/*.php file is committed straight to source control, visible to everyone with repository access and to every CI log or build artifact that touches this file. It also means the same value is shared identically across every environment that deploys this code, which defeats the purpose of having separate environments at all.

How to fix it

Replace the literal with an env() call reading from a variable name, for example 'key' => env('SERVICE_API_KEY'), and put the real value only in the untracked .env file for each environment. Add the variable name with a placeholder to .env.example, and rotate the value that was already committed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks