Scan for hardcoded secrets and exposed environment variables
Scans codebase for hardcoded secrets, exposed keys, and insecure environment variables.
/plugin marketplace add Rahat-ch/vibe-check/plugin install rahat-ch-vibe-check@Rahat-ch/vibe-checkDetect hardcoded API keys, tokens, and exposed environment variables.
Usage: /vibe-check:secrets
Search codebase for known secret patterns using Grep:
API Keys & Tokens:
SUPABASE_(ANON|SERVICE_ROLE)_KEY\s*[:=]\s*["'][^"']+["']
OPENAI_API_KEY\s*[:=]\s*["'][^"']+["']
AWS_(ACCESS_KEY_ID|SECRET_ACCESS_KEY)\s*[:=]\s*["'][^"']+["']
STRIPE_(SECRET|PUBLISHABLE)_KEY\s*[:=]\s*["'][^"']+["']
ANTHROPIC_API_KEY\s*[:=]\s*["'][^"']+["']
Direct Value Patterns:
sk-[A-Za-z0-9]{48} # OpenAI keys
ghp_[A-Za-z0-9]{36} # GitHub PAT
gho_[A-Za-z0-9]{36} # GitHub OAuth
ghu_[A-Za-z0-9]{36} # GitHub user token
ghs_[A-Za-z0-9]{36} # GitHub server token
ghr_[A-Za-z0-9]{36} # GitHub refresh token
-----BEGIN.*PRIVATE KEY----- # Private keys
eyJ[A-Za-z0-9_-]*\.eyJ # JWTs (base64 encoded)
Database Credentials:
DATABASE_URL\s*[:=]\s*["'][^"']+["']
postgres://[^:]+:[^@]+@
mongodb(\+srv)?://[^:]+:[^@]+@
Exclude:
node_modules/*.test.*, *.spec.*.vibeignore patternsgit ls-files | grep -E '\.env($|\.local|\.production|\.development)'
If any .env files are tracked, flag as CRITICAL.
Also check .gitignore includes:
.env
.env.local
.env.*.local
In Next.js projects, check for risky NEXT_PUBLIC_ usage:
grep -r "NEXT_PUBLIC_" --include="*.ts" --include="*.tsx" --include="*.js"
Flag if NEXT_PUBLIC_ contains:
SECRETPRIVATEKEY (except ANON_KEY which is safe for public)PASSWORDTOKEN (except refresh patterns)For strings > 20 chars, calculate Shannon entropy. Flag if > 4.5 bits/char.
Formula: H = -Σ p(x) log2 p(x) where p(x) is frequency of each character.
High-entropy strings are likely secrets even without known patterns.
Check if gitleaks is installed:
which gitleaks
If available, run:
gitleaks detect --source . --report-format json --report-path /tmp/gitleaks.json
Parse and include results.
For each finding:
[CRITICAL] Hardcoded Supabase Service Key
File: src/lib/supabase.ts:15
Found: SUPABASE_SERVICE_ROLE_KEY = "eyJ..."
Risk: Service key has full database access, bypasses RLS
Fix:
1. Remove from source code immediately
2. Add to .env.local (not committed)
3. Rotate the key in Supabase dashboard
4. Use NEXT_PUBLIC_SUPABASE_ANON_KEY for client-side
Respect // vibe-ignore:secrets comments and .vibeignore file.