id: go-hardcoded-secrets
name: Hardcoded Secret
severity: warning
category: security
defect_class: secrets
inline_tier: blocking
language: go

message: "Hardcoded {{VARNAME}} — use environment variables or a secrets manager"

description: |
  Hardcoding credentials in source code exposes them in version control.
  
  ✅ FIX:
    apiKey := os.Getenv("API_KEY")
    password := os.Getenv("DB_PASSWORD")

query: |
  [
    (short_var_declaration
      left: (expression_list
        (identifier) @VARNAME)
      right: (expression_list
        (interpreted_string_literal) @VALUE))
    (var_declaration
      (var_spec
        name: (identifier) @VARNAME
        value: (expression_list
          (interpreted_string_literal) @VALUE)))
    (const_declaration
      (const_spec
        name: (identifier) @VARNAME
        value: (expression_list
          (interpreted_string_literal) @VALUE)))
  ]

metavars:
  - VARNAME
  - VALUE

post_filter: check_secret_pattern

has_fix: false

tags:
  - security
  - credentials

examples:
  bad: |
    apiKey := "<redacted>"    // hardcoded — BUG
    const secret = "<redacted>"
  
  good: |
    apiKey := os.Getenv("API_KEY")
    secret := os.Getenv("SECRET_KEY")
