Every week, secrets leak. API keys committed to GitHub. Database passwords in config files. AWS credentials in environment variable defaults.
The fix is trivial. The detection is not.
Until now.
The Problem
// β This ships to production more than you'd think
const db = new Pool({
host: 'prod-db.example.com',
user: 'admin',
password: 'super_secret_password_123', // CWE-798
});
const stripe = new Stripe('sk_live_abc123xyz789'); // Hardcoded API key
These patterns are obvious in isolation. In a 50,000-line codebase? They hide in plain sight.
Why Traditional Tools Fail
| Tool | Problem |
|---|---|
| grep for "password" | Too many false positives |
| Secret scanners | Only catch committed secrets |
| Code review | Humans miss things |
The ESLint Solution
// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';
export default [secureCoding.configs.recommended];
Now run npx eslint . and get:
src/db.ts
5:3 error π CWE-798 OWASP:A02 CVSS:7.5 | Hardcoded credential detected
Fix: Use environment variable: process.env.DATABASE_PASSWORD
The Fixed Code
// β
Secure pattern
const db = new Pool({
host: process.env.DATABASE_HOST,
user: process.env.DATABASE_USER,
password: process.env.DATABASE_PASSWORD,
});
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY);
Why AI Agents Love This Rule
The error message is structured for AI consumption:
- CWE-798: Machine-readable vulnerability ID
- Fix instruction: Exact pattern to apply
- Location: Precise line and column
Cursor, Copilot, and Claude can read this and auto-fix without human intervention.
Quick Install
npm install --save-dev eslint-plugin-secure-coding
// eslint.config.js
import secureCoding from 'eslint-plugin-secure-coding';
export default [secureCoding.configs.recommended];
That's it. One line of config. 89 security rules. Zero hardcoded secrets.
π¦ npm: eslint-plugin-secure-coding
π Rule docs: no-hardcoded-credentials
π Follow me for more security articles & updates:
GitHub | LinkedIn
Top comments (0)