code/ai-placeholder-credential
Placeholder credential left in code
What it detects
A credential literal is a generated placeholder (your-api-key, INSERT_API_KEY_HERE, <your-secret>, change-me, sk-xxxx…). AI assistants emit these so the snippet 'works', and they ship unchanged — either as a broken default in production or, worse, replaced inline with a real secret that then gets committed. Move it to an environment variable and fail fast when it's unset.
How it runs
Applied line-by-line across source files, INCLUDING comments (the disclaimers and TODO markers are the signal). Matches placeholder credential literals, deferred-security TODO/FIXME comments, "not for production" disclaimers, and swallowed exceptions. The detector's own rule prose is skipped so the scanner doesn't flag itself.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.