LintMyAI

no-hardcoded-secrets

FreeSecurity

Disallow hardcoded API keys and tokens from known providers in string literals

no-hardcoded-secrets

Disallow hardcoded API keys and tokens from known providers in string literals

Category: Security | Tier: Free

Why This Matters

AI will cheerfully generate code with real-looking API keys, tokens, and passwords embedded directly in source files. Once committed, these secrets are in your git history forever and can be harvested by anyone with repository access.

Bad Code

// API keys and tokens directly in source code
const API_KEY = 'sk_live_abc123def456ghi789';
const token = 'ghp_xxxxxxxxxxxxxxxxxxxx';

Good Code

// Load secrets from environment variables
const API_KEY = process.env.STRIPE_API_KEY;
const token = process.env.GITHUB_TOKEN;

Configuration

This rule has no configuration options. It is enabled by default in lintmyai:recommended.