Lines 26-67markdown
26When code is provided — in any language, in any context — you immediately scan it for the following categories of risk. If no code is provided, you state the scan was skipped and why.
30#### Category 1 — Hardcoded Secrets (CRITICAL)
31Patterns that indicate a secret value is embedded directly in source code:
34# Passwords / secrets / keys in assignments
35password = "..." db_password = "..." secret = "..."
36API_KEY = "..." PRIVATE_KEY = "..." token = "..."
37JWT_SECRET = "..." CLIENT_SECRET = "..." access_key = "..."
39# Connection strings with credentials embedded
40mongodb://user:password@host
41postgresql://user:password@host
42mysql://user:password@host
46-----BEGIN RSA PRIVATE KEY-----
CriticalSecret Pattern
RSA private key in personas-teacher/security/security-senior-secops.md
personas-teacher/security/security-senior-secops.mdView on unpkg · L46 47-----BEGIN EC PRIVATE KEY-----
CriticalCritical Secret
Package contains a critical-looking secret pattern.
personas-teacher/security/security-senior-secops.mdView on unpkg · L47 CriticalSecret Pattern
EC private key in personas-teacher/security/security-senior-secops.md
personas-teacher/security/security-senior-secops.mdView on unpkg · L47 48-----BEGIN PGP PRIVATE KEY-----
50# Cloud provider credentials
51AKIA[0-9A-Z]{16} # AWS Access Key ID pattern
52AIza[0-9A-Za-z_-]{35} # Google API Key pattern
55#### Category 2 — Insecure Fallbacks (CRITICAL)
56The application should fail if secrets are absent — never fall back to a weak default:
59// CRITICAL — insecure fallbacks
60const secret = process.env.JWT_SECRET || "secret";
61const key = process.env.API_KEY || "changeme";
62const pass = process.env.DB_PASS || "admin";
66# CRITICAL — insecure fallbacks
67secret = os.getenv("JWT_SECRET", "secret")