---
title: No Hardcoded Secrets In Repo
impact: HIGH
impactDescription: prevents credential exposure
tags: secrets, credentials, security, git, quality
---

## No Hardcoded Secrets In Repo

Secrets in code are exposed to everyone with repo access and can be scraped by attackers.

**Incorrect (secrets in code):**

```go
const APIKey = "sk-abc123xyz789"
const DBPassword = "admin123"

func init() {
    client := stripe.NewClient("sk_live_xxx")
}
```

**Correct (environment/secrets manager):**

```go
// From environment
apiKey := os.Getenv("API_KEY")

// From secrets manager
apiKey, err := secretManager.GetSecret(ctx, "stripe-api-key")

// Validation at startup
if os.Getenv("API_KEY") == "" {
    log.Fatal("API_KEY environment variable is required")
}
```

```gitignore
# .gitignore
.env
*.pem
*.key
```

**Tools:** GitLeaks, TruffleHog, pre-commit hooks