Store secrets in env or a secret manager, never in code

Store secrets in env or a secret manager, never in code | BeforeMerge Rules | BeforeMerge

Why this matters

Hardcoded secrets end up in version control history, build artifacts, and client bundles where they are trivially discovered. Externalizing them keeps secrets out of the codebase and makes rotation possible.

// Bad: credential in source
const apiKey = "sk_live_abc123";
 
// Good: injected from the environment / secret manager
const apiKey = process.env.API_KEY;

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters