Real-looking email address in an env example file (heuristic)
Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 2 points from that category, once per scan, no matter how many places it turns up.
What it detects
A .env.example/.env.sample-style file sets an email-like key to a value that does not match common placeholder shapes (you@example.com and similar). Heuristic: cannot confirm the address is genuinely real.
Why it matters
A committed .env.example file is meant to show which variables exist without exposing real values, so a real-looking email address there suggests it was copied from an actual .env file rather than written as a template. If it is a real address (an employee's personal inbox, a customer's account email, or a live alerting address) it is now in source control and searchable history. This is a heuristic: it flags anything that is not obviously a placeholder like you@example.com, but it cannot confirm the address is genuinely real or sensitive.
How to fix it
Replace the value with an obviously fake placeholder such as you@example.com or admin@example.com. If the real address was committed because it is genuinely needed for local development, move it to an untracked .env file instead and confirm .env is in .gitignore.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo