Decrypted Rails credentials committed
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A plaintext config/credentials.yml sits next to config/credentials.yml.enc. The whole point of the encrypted file is that only master.key can read it; a decrypted copy in the repo hands out every secret it protects with no key needed at all.
Why it matters
config/credentials.yml.enc is meant to be unreadable without master.key; a plaintext config/credentials.yml sitting next to it defeats that entirely; everything the encrypted file protects is right there in the clear for anyone with repository access, no key required.
How to fix it
Remove the plaintext config/credentials.yml file. Then rotate every credential it contained, since anyone who has ever had repository access already has them regardless of when the file is deleted. Going forward, edit credentials only through bin/rails credentials:edit, which decrypts to a temporary file, opens it in an editor, and re-encrypts on save without ever leaving a plaintext copy on disk.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo