software

Hardcoded Secrets: The #1 Vulnerability AI Agents Can Auto-Fix

Published: (December 31, 2025 at 12:39 AM EST)
2 min read
Source: Dev.to

Source: Dev.to

Problem

Every week, secrets leak: API keys committed to GitHub, database passwords in config files, AWS credentials in environment‑variable defaults.
The fix is trivial, but detection is not—especially in large codebases.

Typical hard‑coded secret patterns:

// ❌ This ships to production more than you'd think
const db = new Pool({
  host: 'prod-db.example.com',
  user: 'admin',
  password: 'super_secret_password_123', // CWE-798
});

const stripe = new Stripe('sk_live_abc123xyz789'); // Hardcoded API key

In isolation these are obvious, but in a 50 000‑line repository they hide in plain sight.

Existing approaches

ApproachDrawbacks
grep "password"Too many false positives
Secret scannersOnly catch committed secrets
Code reviewHumans miss things

Tool

eslint-plugin-secure-coding adds a set of rules that detect hard‑coded credentials during linting. The error messages are formatted for AI consumption:

  • CWE‑798 – machine‑readable vulnerability ID
  • Fix instruction – exact pattern to apply
  • Location – precise line and column

Example lint output

src/db.ts
  5:3  error  🔒 CWE-798 OWASP:A02 CVSS:7.5 | Hardcoded credential detected
              Fix: Use environment variable: process.env.DATABASE_PASSWORD

Secure pattern

Replace hard‑coded values with environment variables:

// ✅ Secure pattern
const db = new Pool({
  host: process.env.DATABASE_HOST,
  user: process.env.DATABASE_USER,
  password: process.env.DATABASE_PASSWORD,
});

const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);

AI assistants such as Cursor, Copilot, and Claude can read the structured error and auto‑fix the code without human intervention.

Installation

npm install --save-dev eslint-plugin-secure-coding

Add the recommended config to your ESLint setup:

// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';

export default [secureCoding.configs.recommended];

That’s it—one line of config activates 89 security rules and eliminates hard‑coded secrets.

Resources

Back to Blog

Related posts

Read more »

AI SEO agencies Nordic

!Cover image for AI SEO agencies Nordichttps://media2.dev.to/dynamic/image/width=1000,height=420,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads...