ast/hardcoded-admin-credentials
Hardcoded admin credentials: equality check against literal placeholder username + password
What it detects
An equality check compares a username-shaped identifier (username / user / login / email / account) to a literal admin-shaped name ('admin' / 'root' / 'administrator' / 'superuser' / 'guest' / 'test'), AND/OR compares a password-shaped identifier (password / pwd / pass / passwd) to a placeholder literal ('admin' / 'password' / '123456' / 'changeme' / etc). These patterns ship as demo logins and then never get replaced. Move credentials to env vars and rotate the placeholder values now.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.