agent.pythonapikey_hardcoded

May 8, 2026 · View on GitHub

Flags API-key-shaped Python string literals.

Why It Matters

Hardcoded keys are easy to commit, copy, and leak. If a real key is found, remove it and rotate it.

Bad:

API_KEY = (
    "sk-ant-"
    "FAKEKEY12345"
)

Good:

API_KEY = os.environ["PROVIDER_API_KEY"]

This rule is module-wide. It is not limited to recognized tool functions, because keys often live in config blocks.