rust.hardcoded_secrets

Security Critical

Detects hardcoded secrets, API keys, and passwords in source code.

Why It Matters

Hardcoded secrets:

• Security breach — Secrets exposed in repos
• Rotation failure — Can’t change without deploy
• Compliance violation — Fails security audits

Example

// ❌ Before (hardcoded secrets)
const API_KEY: &str = "sk_live_abc123xyz";
const DB_PASSWORD: &str = "super_secret_password";

// ✅ After (environment variables)
use std::env;

fn get_api_key() -> String {
    env::var("API_KEY").expect("API_KEY must be set")
}

fn get_db_password() -> String {
    env::var("DATABASE_PASSWORD").expect("DATABASE_PASSWORD must be set")
}

What Unfault Detects

• String literals matching API key patterns
• Password-like constants
• AWS keys, JWT tokens, private keys

Auto-Fix

Unfault can convert to environment variable lookups.

Related Rules

• go.hardcoded_secrets
• python.hardcoded_secrets