ast/hardcoded-encryption-key
Hardcoded encryption key passed to createCipheriv
What it detects
crypto.createCipheriv / createDecipheriv was called with a string-literal key. Any reader of the repo can decrypt all data ever encrypted with it. Move the key to process.env and rotate every value already encrypted under the committed key (you cannot recover from this incident by changing the source file alone — the leaked key remains valid on existing ciphertext). For new code use crypto.randomBytes(32) at deploy time and store the hex in your secret manager.
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.