Skill

hardcoded-secrets

Flags hardcoded secrets like API keys, passwords, tokens, connection strings, and private keys in code, configs, env scripts, and tests. Recommends secure loading from env vars or secrets managers with fail-fast checks.

security

npx claudepluginhub thejefflarson/soundcheck --plugin soundcheck

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Protects against credentials, API keys, and secrets embedded directly in source code.

SKILL.md

Similar Skills

Secret Scanning

Detects hardcoded secrets, API keys, credentials, tokens, and private keys in source code and git history using regex patterns for pentesting and code reviews.

vuln-scout

hardcoded-credential-finder

2.0k

Detects hardcoded credentials in codebases using Read, Grep, and Bash(npm:*) tools. Provides step-by-step guidance, best practices, and remediation for security audits.

4 tools

jeremylongshore-claude-code-plugins-plus-skills

memstack-security-secrets-scanner

307

Scans codebases for hardcoded secrets, API keys (Stripe, Supabase, AWS, GitHub, Slack), bearer tokens, passwords, private keys, and base64 secrets using grep regex patterns on JS/TS/JSON/YAML files.

memstack

Stats

Stars13

Forks0

Last CommitApr 18, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Hardcoded Secrets Security Check (CWE-798)

What this checks

Protects against credentials, API keys, and secrets embedded directly in source code. Hardcoded secrets end up in version control history, build artifacts, and container images. Once committed, secrets are effectively public — even if the commit is reverted, the secret remains in git history.

Vulnerable patterns

API_KEY = "sk_live_abc123..." — production API key in source
password = "admin123" — hardcoded password
conn_str = "postgresql://user:pass@host/db" — credentials in connection string
private_key = "-----BEGIN RSA PRIVATE KEY-----\n..." — embedded private key
token = "ghp_xxxx..." — GitHub personal access token in code

Fix immediately

Flag the hardcoded secret and explain the risk. Then suggest a fix that establishes these properties:

Secrets are loaded from outside the source tree. Environment variable, secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password), KMS, or OS keystore. No string literal that resembles a real credential appears in source — not in code, not in config files, not in test fixtures.
Missing secrets fail loudly at load time, not silently at first use. A getenv("API_KEY") with no fallback, a required-field check, or an early fatal log guarantees a misconfigured deploy crashes immediately rather than running with an empty string that mysteriously fails later.
Test fixtures use obviously fake values — test_key_DO_NOT_USE, sk_test_FAKE, changeme — that cannot be mistaken for production credentials and will never unlock a real service if leaked.
Rotation does not require a code change. If rotating the credential means editing source and redeploying, the secret is effectively hardcoded even if it's technically loaded through a constant. Rotation happens by updating the external store and restarting.

Anchor — shape, not implementation:

API_KEY = require_env("API_KEY")       # fail fast if missing
DB_URL  = secrets_manager.get("db/primary")
# no string literal matching /sk_live_|ghp_|AKIA[0-9A-Z]{16}|-----BEGIN/ in source

Verification

No string literal in the code resembles a production API key, password, token, private key, or connection string with embedded credentials
All credentials are loaded from environment variables, secrets managers, or encrypted configuration — never from source code
Test fixtures use obviously fake values (e.g., test_key_DO_NOT_USE) that cannot be mistaken for real credentials

References

CWE-798 (Use of Hard-coded Credentials)
CWE-259 (Use of Hard-coded Password)