SEC001errorFree tier

hardcoded-secret

Hardcoded secrets in code can be leaked and are hard to rotate

Applies to: C#, Go, JSON, JavaScript, Python, Ruby, Rust, TypeScript, YAML, dotenv

Why this matters

Hardcoding passwords or API keys in your code is dangerous. Anyone who sees your code (including in git history) can see your secrets. Use environment variables or a secrets manager instead.

Catch it before it ships

pip install stablestack # or: npx stablestackstablestack # scans your project, SEC001 includedstablestack explain SEC001

False positive in your codebase? Suppress a single line with # noqa: SEC001