---
name: warn-secrets-in-code
enabled: true
event: file
pattern: (API_KEY|SECRET|TOKEN|PASSWORD)\s*=\s*["'][^"']+["']
action: warn
---

🔐 **Possible hardcoded secret detected**

Hardcoded credentials are a security risk. Use environment variables instead:

```python
import os
api_key = os.environ.get("API_KEY")
```

```javascript
const apiKey = process.env.API_KEY;
```

Make sure to add the real secret to `.env` (and `.env` to `.gitignore`).