Lot of professional answers but I would start by looking how many keys are stored in plain text in config file on backend server.
I would also check how many of these are used by the frontend. Some developers leave keys embedded in HTML like hidden input and sometimes you can get the key by inspecting network traffick with dev tools in browser if your app frontend uses 3rd party api but tries to hide the key by uglifying JS. Many forget to keep the keys on back and act as a middleware.
Then classics like sql injection, xss, those kind of things.
Later I would call sec experts to check for real threats which are security stuff and not common mistakes.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.