hardcoded-secret
Hardcoded secrets in code can be leaked and are hard to rotate
Applies to: C#, Go, JSON, JavaScript, Python, Ruby, Rust, TypeScript, YAML, dotenv
Why this matters
Hardcoding passwords or API keys in your code is dangerous. Anyone who sees your code (including in git history) can see your secrets. Use environment variables or a secrets manager instead.
Catch it before it ships
pip install stablestack # or: npx stablestackstablestack # scans your project, SEC001 includedstablestack explain SEC001False positive in your codebase? Suppress a single line with # noqa: SEC001
More Security checks
sql-injection
SQL queries built with string concatenation are vulnerable to injection
SEC003eval-usage
eval() executes arbitrary code and is a security risk
SEC004insecure-random
Non-cryptographic random is predictable and insecure for tokens/passwords
SEC005inner-html-xss
Direct innerHTML assignment can lead to XSS vulnerabilities
SEC006webhook-security-bypass
Webhook signature verification should never be skipped
SEC007oauth-state-validation
OAuth callback missing state parameter validation
SEC008plaintext-secrets
Sensitive tokens stored without encryption in database schema
SEC009email-header-injection
User input in email headers may allow header injection