# Hardcoded Secrets
# Detects hardcoded API keys, passwords, tokens in code
id: hardcoded-secrets
name: Hardcoded Secret
severity: error
category: security
defect_class: secrets
inline_tier: blocking
language: typescript

message: "Hardcoded secret in variable assignment — use environment variables"

description: |
  Hardcoded secrets in source code are a serious security risk.
  They can be exposed through:
  - Git history (even if deleted)
  - Decompiled code
  - Public repositories
  
  ✅ FIX: Use environment variables
  
  ```typescript
  const apiKey = process.env.API_KEY;
  if (!apiKey) throw new Error('API_KEY not set');
  ```
  
  Then add to .env file (which should be in .gitignore):
  ```
  API_KEY=your_secret_here
  ```

query: |
  [
    (lexical_declaration
      (variable_declarator
        name: (identifier) @VARNAME
        value: (string)))
    (expression_statement
      (assignment_expression
        left: (identifier) @VARNAME
        right: (string)))
  ]

metavars:
  - VARNAME

tags:
  - security
  - secrets
  - best-practice
  - owasp

post_filter: check_secret_pattern

examples:
  bad: |
    const api_key = "sk-live-abc123xyz789";
    const password = "hunter2";
    const SECRET = "my-secret-value";
  
  good: |
    const api_key = process.env.API_KEY;
    const password = process.env.DATABASE_PASSWORD;
    const secret = process.env.SECRET_KEY;

has_fix: false