code/js-next-public-secret-name

NEXT_PUBLIC_ env var with a secret-like name

highCode regexhardcoded-credsCWE-200 ↗js

What it detects

Any env var prefixed NEXT_PUBLIC_ is inlined into the client bundle at build time and visible to every visitor. Naming one *SECRET*, *KEY*, *TOKEN*, *PASSWORD* (other than well-known public keys like Stripe pk_*) almost certainly leaks a credential. AI assistants confuse client-side and server-side env in Next.js routinely.

How it runs

Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.