Will It Vibe logoWill It Vibe?
RAILS-014High severity-15 points

Rails master key committed to source control

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

config/master.key decrypts every value in credentials.yml.enc: database passwords, API keys, secret_key_base. Rails generates a .gitignore entry for it by default, so a master.key present with no matching .gitignore entry is very likely tracked in git history.

Why it matters

config/master.key is the single key that decrypts everything in config/credentials.yml.enc: database passwords, third-party API keys, secret_key_base, whatever the app keeps there. Rails generates it with a .gitignore entry specifically so it never ends up in version control; a master.key with no matching .gitignore entry has almost certainly been committed at some point, and anyone who has ever cloned the repository, or can browse its history, has it.

How to fix it

Add /config/master.key to .gitignore immediately, then treat the existing key as compromised: rotate it with bin/rails credentials:edit (which generates a fresh key and re-encrypts credentials.yml.enc), and separately rotate every credential that was reachable through the old key (database passwords, API keys, secret_key_base). Distribute the new master.key to the team and deployment environments through a secrets manager or CI secret store, never through git.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks