# S6418: Secrets should not be hard-coded
id: c-hardcoded-secrets
name: Secrets Should Not Be Hard-Coded
severity: error
category: security
defect_class: secrets
inline_tier: blocking
language: c

message: "hard-coded secret detected in {{VARNAME}} — move to environment variables or secure vault"

description: |
  Hard-coded secrets (API keys, passwords, tokens) in source code are
  exposed in version control and can be leaked. Load secrets at runtime
  from environment variables or a secrets manager.

  ✅ FIX: Read from environment

  ```c
  const char* api_key = getenv("API_KEY");
  ```

query: |
  [
    (init_declarator
      (identifier) @VARNAME
      (string_literal) @SECRET)
    (init_declarator
      (pointer_declarator
        (identifier) @VARNAME)
      (string_literal) @SECRET)
  ]

metavars:
  - VARNAME
  - SECRET

post_filter: check_secret_pattern

tags:
  - security
  - c
  - cwe
  - cert
  - secrets

examples:
  bad: |
    const char* api_key = "sk-1234567890abcdef";  // BAD

  good: |
    const char* api_key = getenv("API_KEY");  // GOOD

has_fix: true
fix_action: replace_with_env_lookup