← all rules
code/js-env-fallback-secret
process.env fallback to a hardcoded secret-shaped string
What it detects
`process.env.FOO || "sk-..."` makes the fallback string a hardcoded credential committed to the repo. AI assistants frequently emit this pattern so the snippet 'works' without an env var — and it then ships to prod.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.