Hardcoded API Keys: The #1 Security Mistake in Vibe Coding

Every day, thousands of API keys, database passwords, and authentication tokens are accidentally pushed to GitHub. AI coding tools make this problem dramatically worse.

GitHub's 2025 Secret Scanning Report:

• 12.8 million secrets detected in public repositories
• 40% increase from 2024
• AI-assisted repositories 3x more likely to contain exposed secrets

1. Training Data Contains Real Secrets

AI models learn from code that includes:

• Tutorial projects with placeholder credentials
• Accidentally committed .env files
• Code samples with real API keys

2. AI Generates "Realistic" Placeholders

// AI tries to be helpful with realistic-looking keys
const STRIPE_KEY = 'sk_live_51ABC123...'
const OPENAI_KEY = 'sk-proj-abc123...'

These look real because AI learned from real keys.

3. Vibe Coders Move Fast

The vibe coding workflow emphasizes speed:

1. Prompt AI for feature
2. Copy generated code
3. Test it works
4. Commit and push

Stripe Keys

sk_live_51[A-Za-z0-9]{24,}
sk_test_51[A-Za-z0-9]{24,}

OpenAI Keys

sk-[A-Za-z0-9]{48}
sk-proj-[A-Za-z0-9]{48}

AWS Credentials

AKIA[0-9A-Z]{16}

GitHub Tokens

ghp_[A-Za-z0-9]{36}
github_pat_[A-Za-z0-9]{22}_[A-Za-z0-9]{59}

Database Connection Strings

postgres://user:password@host:5432/db
mongodb+srv://user:password@cluster.mongodb.net

Case 1: Indie hacker's Stripe test key was in code. Bot found it, made $3,400 in fraudulent charges to his account.

Case 2: Startup's AWS keys exposed. Crypto miners spun up $47,000 in EC2 instances overnight.

Case 3: Database credentials in GitHub. Entire user table exfiltrated, company faced GDPR fines.

Manual Search

# Search for common patterns
grep -rn "sk_live\
sk_test\
AKIA\
ghp_\
password.*=" --include="*.ts" --include="*.js" src/

Git History Search

Secrets might be in old commits even if removed from current code:

git log -p 
grep -i "api_key\
secret\
password"

Automated Scanning

Tools like ShipReady scan for 100+ secret patterns automatically.

Step 1: Create .env File

# .env (never commit this)
STRIPE_SECRET_KEY=sk_live_actual_key_here
DATABASE_URL=postgres://user:pass@host:5432/db
OPENAI_API_KEY=sk-actual_key_here

Step 2: Add to .gitignore

# .gitignore
.env
.env.local
.env.*.local

Step 3: Access in Code

const stripeKey = process.env.STRIPE_SECRET_KEY
const dbUrl = process.env.DATABASE_URL

Step 4: Use Platform Secrets

• Vercel: Settings → Environment Variables
• Railway: Variables tab
• Render: Environment section
• GitHub Actions: Settings → Secrets

Immediate Actions

1. Revoke the credential immediately

1. Check for unauthorized usage

1. Clean git history (optional)

git filter-branch --force --index-filter \
  "git rm --cached --ignore-unmatch path/to/file" \
  --prune-empty --tag-name-filter cat -- --all

Prevention Going Forward

1. Pre-commit hooks - Block commits containing secret patterns
2. CI/CD scanning - Fail builds with exposed secrets
3. Automated alerts - Get notified of new exposures

Before every commit:

[ ] No API keys in source files
[ ] No passwords in source files
[ ] No connection strings with credentials
[ ] .env is in .gitignore
[ ] Secrets set in deployment platform
[ ] Old secrets rotated

Hardcoded secrets are the easiest vulnerability to exploit and the easiest to prevent. AI tools make them more common, but environment variables make them avoidable.

Never commit secrets. Use environment variables. Scan before you push.