---
title: No Hardcoded Secrets In Repo
impact: CRITICAL
impactDescription: prevents sensitive credential exposure and security breaches
tags: secrets, credentials, security, git, quality, kotlin
---

## No Hardcoded Secrets In Repo

Hardcoding sensitive credentials (API keys, DB passwords, private keys) in the source code or configuration files is a major security risk. Once committed, they are visible to anyone with access to the repo and historical versions.

**Incorrect (secrets in code):**

```kotlin
const val STRIPE_API_KEY = "sk_live_abc123"
val dbPassword = "root_password"

// HARDCODED in resource files or code
val connection = DriverManager.getConnection("jdbc:mysql://localhost/db", "admin", "secret123")
```

**Correct (environment/secrets manager):**

```kotlin
// Load from Environment Variables
val apiKey = System.getenv("API_KEY")

// Load from a secure property file (not committed to git)
val properties = Properties().apply {
    val inputStream = FileInputStream("secrets.properties")
    load(inputStream)
}
val dbPassword = properties.getProperty("DB_PASSWORD")

// Using a cloud secrets manager (AWS Secrets Manager, GCP Secret Manager, Vault)
val stripeKey = secretsClient.getSecret("stripe/live-key")

// Validate presence at startup
checkNotNull(apiKey) { "API_KEY environment variable must be set" }
```

**Protecting Secrets:**
- Add `.env`, `secrets.properties`, `*.jks`, `*.pem` to `.gitignore`.
- Use CI/CD secrets for deployment.
- Avoid printing secrets to log files.

**Tools:** Gitleaks, TruffleHog, SonarQube, detekt (HardcodedSecret)
