Hardcoded secrets
Hardcoded API keys, tokens, and secrets committed to source code. The most common vulnerability we see in AI-generated apps — and the one most likely to end up scraped from a public GitHub repo.
What this rule detects
VC001 finds string literals that look like real credentials: AWS access keys (AKIA...), GitHub tokens (ghp_...), Stripe keys (sk_live_...), Slack tokens, OpenAI keys, generic API keys with high entropy. The check runs against source files committed to your repo — anything matching a known credential format is flagged. Entropy analysis catches keys that don't match a known prefix but look statistically random.
Vulnerable vs. safe code
// .env values committed to source — visible in git history forever.
const stripe = new Stripe("sk_live_51HxYzL2eZvKYlo2C9X8fG7H8JkLm...");
const openai = new OpenAI({
apiKey: "sk-proj-abc123def456ghi789jkl012mno345pqr678",
});// Read from environment at runtime. Never committed.
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
const openai = new OpenAI({
apiKey: process.env.OPENAI_API_KEY!,
});
// In your repo: .env (gitignored), .env.example (committed, no values).
// In production: secrets injected by Vercel/Railway/Fly/AWS Secrets Manager.If you've already committed a key, rotating it is mandatory — `git rm` doesn't help because the value still exists in history. Treat any key that ever lived in a public commit as compromised.
About A02:2021 — Cryptographic Failures
Cryptographic failures cover everything from hardcoded secrets in source code to using broken algorithms (MD5, SHA-1) to transmitting passwords in plaintext. AI coding tools frequently generate this category of bug because the safe alternatives require knowing about libraries the model wasn't trained heavily on.
Impact: When this class ships, it's usually a data breach. Hardcoded API keys end up on GitHub and get scraped within minutes. Weak password hashing means a single database leak unlocks every user's password. Plaintext-over-HTTP endpoints get sniffed on public WiFi.
How to fix it: Never store secrets in source code — use environment variables and a secret manager. Use bcrypt/argon2 for password hashing, not MD5/SHA-1. Always use HTTPS in production. Use the platform's modern crypto APIs instead of rolling your own.
Common patterns in this category:
- Hardcoded API keys, tokens, or passwords committed to git
- MD5 or SHA-1 used for password hashing instead of bcrypt/argon2
- Sensitive data sent over HTTP instead of HTTPS
- Encryption keys stored alongside the encrypted data
- Custom crypto implementations instead of vetted libraries
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC001 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .