Hardcoded credential assignment (heuristic)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
A secret-named variable (password/secret/token/api_key/...) is assigned a long quoted literal. This is a heuristic: it flags the shape, not a known provider, so it is kept low severity and can occasionally match a non-secret string.
Why it matters
A secret-named variable assigned a long quoted literal is a common way credentials end up in source. This is a heuristic based on the variable name and value length, so it can occasionally flag a non-secret string. When it is a real credential, anyone with repo access can use it, and it persists in git history.
How to fix it
For real secrets, replace the literal with a read from an environment variable or secret store and add the name to .env.example. Rotate the value with its provider. For a false positive (a fixed non-secret constant), rename it or move it so it no longer looks like a credential.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo