Will It Vibe logoWill It Vibe?
SECRET-050Medium severity-8 points

Bearer/Basic authorization literal (heuristic)

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A literal Bearer or Basic authorization token was found in source. This is a heuristic, but a hardcoded token here typically grants API or basic-auth access.

Why it matters

A literal Bearer or Basic authorization token in source usually grants API access or basic-auth access to a service. This is a heuristic, but a hardcoded token here is typically a real credential. It is exposed to anyone with repo access and stays in git history.

How to fix it

Build the Authorization header at runtime from a value read from an environment variable or secret store, rather than embedding the token. Rotate the exposed credential with the service. For Basic auth, prefer a token or key over base64 username:password where the service supports it.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks