← all rules

code/ai-placeholder-credential

Placeholder credential left in code

highAI-generated codeai-generatedCWE-798js · python

What it detects

A credential literal is a generated placeholder (your-api-key, INSERT_API_KEY_HERE, <your-secret>, change-me, sk-xxxx…). AI assistants emit these so the snippet 'works', and they ship unchanged — either as a broken default in production or, worse, replaced inline with a real secret that then gets committed. Move it to an environment variable and fail fast when it's unset.

How it runs

Applied line-by-line across source files, INCLUDING comments (the disclaimers and TODO markers are the signal). Matches placeholder credential literals, deferred-security TODO/FIXME comments, "not for production" disclaimers, and swallowed exceptions. The detector's own rule prose is skipped so the scanner doesn't flag itself.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.