id: python-hardcoded-secrets
name: Hardcoded Secret
severity: warning
category: security
defect_class: secrets
inline_tier: blocking
language: python

message: "Hardcoded {{VARNAME}} — use environment variables or a secrets manager"

description: |
  Hardcoding credentials in source code exposes them in version control
  and logs. Use environment variables or a secrets manager.
  
  ✅ FIX:
    import os
    password = os.environ["DB_PASSWORD"]
    api_key = os.environ["API_KEY"]

query: |
  (assignment
    left: (identifier) @VARNAME
    right: (string) @VALUE)

metavars:
  - VARNAME
  - VALUE

post_filter: check_secret_pattern

has_fix: false

tags:
  - security
  - credentials
  - owasp-top-10

examples:
  bad: |
    token = "<redacted>"    # hardcoded — BUG
    api_key = "<redacted>"  # hardcoded — BUG
  
  good: |
    import os
    password = os.environ["DB_PASSWORD"]
    api_key = os.environ["API_KEY"]
