typescript.hardcoded_secrets

Security Critical

Detects hardcoded API keys, passwords, and other secrets.

Why It Matters

Hardcoded secrets are easily exposed:

• Git history — Secrets remain even after deletion
• Bundle exposure — Frontend code ships secrets to browsers
• Log leakage — Secrets appear in error messages
• No rotation — Changing requires code changes

Example

// ❌ Before
const API_KEY = "sk_live_abc123xyz";
const client = new Stripe("sk_live_abc123xyz");
const DB_URL = "postgres://user:password@host/db";

// ✅ After
const API_KEY = process.env.STRIPE_API_KEY;
const client = new Stripe(process.env.STRIPE_API_KEY!);
const DB_URL = process.env.DATABASE_URL;

What Unfault Detects

• Variables named secret, password, key, token
• Strings matching API key patterns
• Connection strings with credentials

Auto-Fix

Unfault replaces hardcoded values with process.env lookups.

Environment Variable Patterns

// Required variables (fail fast)
function getRequired(name: string): string {
    const value = process.env[name];
    if (!value) {
        throw new Error(`Missing required env var: ${name}`);
    }
    return value;
}

const apiKey = getRequired('API_KEY');

// With defaults (optional)
const logLevel = process.env.LOG_LEVEL || 'info';

// Using libraries
import { z } from 'zod';
const env = z.object({
    API_KEY: z.string(),
    DATABASE_URL: z.string().url(),
}).parse(process.env);

Related Rules

• go.hardcoded_secrets
• rust.hardcoded_secrets