Will It Vibe logoWill It Vibe?
RUST-007Medium severity-8 points

Hardcoded secret-shaped const/static

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A password/token/key-shaped identifier is bound to a literal string via const/static, so the credential is compiled into the binary and committed to source control. Narrow, Rust-specific anchor: requires the exact `const`/`static NAME: &str = "..."` binding shape, distinct from the generic key/value secret heuristics.

Why it matters

A password, token, or key bound to a const/static string literal is compiled directly into the binary and committed to source control, so anyone with repo access, a clone, or a copy of the compiled artifact can extract it (strings on the binary alone will often reveal it). Rotating a credential that was shipped this way means finding every place the old binary or source snapshot could still exist, which is easy to miss.

How to fix it

Move the value out of source into an environment variable read at startup (std::env::var), a secrets manager, or a config file that is not committed, and load it into the const/static's place at runtime instead of compile time. Add the variable name with a placeholder to a tracked .env.example, and rotate the credential that was already committed since it must be treated as compromised.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks