vibesec/rules/default/secrets.yaml

Security scanner for AI-generated code - detects vulnerabilities in vibe-coded projects

rules:
  - id: hardcoded-api-key
    name: Hardcoded API Key Detected
    description: API keys should be stored in environment variables, not hardcoded in source code. Exposed credentials can be used by attackers to access your API.
    severity: critical
    category: secrets
    languages:
      - javascript
      - typescript
      - python
      - go
    enabled: true
    patterns:
      - regex: "(api[_-]?key|apikey)\\s*[=:]\\s*[\"'][a-zA-Z0-9_\\-]{20,}[\"']"
        flags: gi
      - regex: "(sk_live_|sk_test_|fake_stripe_)[a-zA-Z0-9_]{24,}"
        flags: g
      - regex: "fake_google_api_key_[a-zA-Z0-9_]+"
        flags: g
    fix:
      template: Move the API key to an environment variable using process.env or equivalent
      references:
        - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
        - https://cwe.mitre.org/data/definitions/798.html
    metadata:
      cwe: CWE-798
      owasp: "A3:2017"
      tags:
        - secrets
        - credentials
        - api-keys

  - id: hardcoded-password
    name: Hardcoded Password Detected
    description: Passwords should never be hardcoded in source code. Store them securely in environment variables or secure credential stores.
    severity: critical
    category: secrets
    languages:
      - javascript
      - typescript
      - python
      - go
    enabled: true
    patterns:
      - regex: "(password|passwd|pwd)\\s*[=:]\\s*[\"'][^\"']{8,}[\"']"
        flags: gi
      - regex: "DB_PASSWORD\\s*=\\s*[\"'][^\"']+[\"']"
        flags: gi
    fix:
      template: Store passwords in environment variables (e.g., process.env.DB_PASSWORD) or use a secure credential management system
      references:
        - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
        - https://cwe.mitre.org/data/definitions/798.html
    metadata:
      cwe: CWE-798
      owasp: "A3:2017"
      tags:
        - secrets
        - credentials
        - passwords

  - id: aws-credentials
    name: AWS Credentials Detected
    description: AWS credentials should never be hardcoded. Use IAM roles or environment variables.
    severity: critical
    category: secrets
    languages:
      - javascript
      - typescript
      - python
      - go
    enabled: true
    patterns:
      - regex: "AKIA[0-9A-Z]{16}"
        flags: g
      - regex: "(aws[_-]?access[_-]?key[_-]?id|aws[_-]?secret[_-]?access[_-]?key)\\s*[=:]\\s*[\"'][A-Za-z0-9/+=]{20,}[\"']"
        flags: gi
    fix:
      template: Use AWS IAM roles or store credentials in ~/.aws/credentials or environment variables
      references:
        - https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
        - https://cwe.mitre.org/data/definitions/798.html
    metadata:
      cwe: CWE-798
      owasp: "A3:2017"
      tags:
        - secrets
        - aws
        - cloud
        - credentials