Never commit secrets

Private cryptographic keys, certificates with private keys, and other secrets must never be committed to source code repositories, even in test or spec files. This is a critical security vulnerability that could lead to unauthorized access, impersonation, or system compromise.

copy reviewer prompt

Prompt

Reviewer Prompt
Deploy Agent

Private cryptographic keys, certificates with private keys, and other secrets must never be committed to source code repositories, even in test or spec files. This is a critical security vulnerability that could lead to unauthorized access, impersonation, or system compromise.

When finding private keys in code like this:

-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIBAzANBgkqhkiG9w0BAQsFADA4MQswCQYDVQQGEwJVUzEQ
...certificate content...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
... private key content ...

Take immediate action:

  1. Revoke the exposed keys to invalidate them
  2. Generate new keys/credentials to replace the compromised ones
  3. Remove all secrets from the codebase
  4. Implement secure secret management

Security best practices for handling secrets:

  • Use environment variables for sensitive information
  • Implement dedicated secret management tools (HashiCorp Vault, AWS Secrets Manager, etc.)
  • For test environments, use clearly marked dummy values or mock security components
  • Add secret detection to CI/CD pipelines and pre-commit hooks
  • Include secret files in .gitignore to prevent accidental commits

Properly managing cryptographic material ensures your systems remain secure and prevents costly security incidents resulting from leaked credentials.

Source discussions