Will It Vibe logoWill It Vibe?
SECRET-048Low severity-4 points

Hardcoded credential assignment (heuristic)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

A secret-named variable (password/secret/token/api_key/...) is assigned a long quoted literal. This is a heuristic: it flags the shape, not a known provider, so it is kept low severity and can occasionally match a non-secret string.

Why it matters

A secret-named variable assigned a long quoted literal is a common way credentials end up in source. This is a heuristic based on the variable name and value length, so it can occasionally flag a non-secret string. When it is a real credential, anyone with repo access can use it, and it persists in git history.

How to fix it

For real secrets, replace the literal with a read from an environment variable or secret store and add the name to .env.example. Rotate the value with its provider. For a false positive (a fixed non-secret constant), rename it or move it so it no longer looks like a credential.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks