Rotate database credentials regularly and never share them

Rotate database credentials regularly and never share them | BeforeMerge Rules | BeforeMerge

Why this matters

A database password shared across services and pasted into config or chat becomes a long-lived, untraceable key. Per-service credentials and scheduled rotation limit exposure and make revocation possible without breaking everything.

# Bad: one shared password committed to .env and Slack
DB_PASSWORD=hunter2  # never rotated
 
# Good: per-service secret from a manager, rotated on schedule
DB_PASSWORD=${secrets.get('app/db/password')}  // rotated, audited

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters