AWS access key ID (long-lived)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 25 points from that category, once per scan, no matter how many places it turns up.
What it detects
A long-lived AWS access key ID (AKIA...) was found in source. Paired with its secret, it grants programmatic access to the account.
Why it matters
A long-lived AWS access key ID sits next to its secret in almost every leak, and together they grant programmatic access to the account. Public repositories are scanned for the AKIA prefix within minutes of a push. Attackers use found keys to spin up compute for crypto mining, read S3 data, or pivot deeper into the account.
How to fix it
Move the key ID and secret out of source and read them from the environment or an instance role. For local use keep them in ~/.aws/credentials or an untracked .env; in production prefer IAM roles over static keys entirely. Then deactivate and delete the exposed key in the IAM console, because git history still holds it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo