ast/jwt-sign-hardcoded-secret

JWT signed with a hardcoded string secret

criticalASThardcoded-credsCWE-798 ↗js · ts

What it detects

jwt.sign(payload, '<string literal>') was called with the signing secret hard-coded into the source. Any reader of the repo (or the bundled JS in browser dev tools) can forge tokens. Load the secret from process.env at runtime, and rotate it the moment any committed-secret leak is suspected.

How it runs

Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.