Backend safety

no-hardcoded-secrets

Flag hardcoded API keys, tokens, and private keys (AWS, GitHub, Stripe, Google, Slack, OpenAI, Anthropic, JWT, PEM).

Two arms: (1) provider-fingerprinted regexes for AWS access key IDs, GitHub PATs, Stripe live keys, Google API keys, Slack tokens, OpenAI/Anthropic project keys, JWTs, and PEM private-key blocks; (2) high-entropy literals bound to a secret-named identifier (`apiKey`, `token`, `password`, …). Placeholders (`changeme`, `<API_KEY>`) and short test fixtures are exempted so demo code stays quiet.

Behavior

• Fixable: No.
• Suggestions: No.

Examples

Bad:

const apiKey = "sk-proj-XYZ..."

Good:

const apiKey = process.env.OPENAI_API_KEY

Related rules

• no-leaked-env-on-clientFlag non-public `process.env.X` reads from `"use client"` or `*.client.{ts,tsx}` files.
• no-disabled-tlsFlag `rejectUnauthorized: false` and `NODE_TLS_REJECT_UNAUTHORIZED=0`.
• no-sql-injectionFlag SQL queries built by `+` concatenation or template-literal interpolation.

Use it

Enable no-hardcoded-secrets in your eslint.config.js:

import deslint from '@deslint/eslint-plugin';

export default [
  {
    plugins: { deslint },
    rules: {
      'deslint/no-hardcoded-secrets': 'error',
    },
  },
];

Found a false positive? Report it on GitHub →

← Back to all rules