---
title: No Hardcoded Secrets In Repo
impact: HIGH
impactDescription: prevents credential exposure and security breaches
tags: secrets, credentials, security, git, quality, php
---

## No Hardcoded Secrets In Repo

Hardcoding secrets (API keys, database passwords, private tokens) directly in the source code exposes them to anyone with repository access. Once committed, these secrets remain in the Git history even if deleted later.

**Incorrect (secrets in code):**

```php
// Hardcoded API key
$stripeSecret = 'sk_live_51P...';

// Hardcoded database credentials
$conn = mysqli_connect("localhost", "root", "password123", "my_db");

// Using plain text secrets in config files committed to VCS
return [
    'aws_key' => 'AKIA...',
    'aws_secret' => 'base64_encoded_secret...'
];
```

**Correct (environment variables or secrets manager):**

```php
// Using environment variables (via .env file not in VCS)
$stripeSecret = getenv('STRIPE_SECRET_KEY');

// In Laravel (using config which pulls from .env)
$stripeSecret = config('services.stripe.secret');

// Validation at startup or in Service Providers
if (empty($stripeSecret)) {
    throw new \RuntimeException('STRIPE_SECRET_KEY is required but not set.');
}
```

**.gitignore configuration:**
Ensure sensitive files are never committed:
```gitignore
# .gitignore
.env
.env.production
auth.json
*.key
*.pem
```

**Prevention Strategy:**
1. Use `.env.example` to list required keys without values.
2. Use a Secrets Manager (AWS, HashiCorp Vault) for production environments.
3. Rotate secrets immediately if they are accidentally committed.

**Tools:** Gitleaks, TruffleHog, SonarQube, pre-commit hooks