Comment by AMARCOVECCHIO99

4 days ago

This matches what I've seen. The .env file is one vector, but the more common pattern with AI coding tools is secrets ending up directly in source code that never touch .env at all.

The ones that come up most often:

  - Hardcoded keys: const STRIPE_KEY = "sk_live_..."
  - Fallback patterns: process.env.SECRET || "sk_live_abc123" (the AI helpfully provides a default)
  - NEXT_PUBLIC_ prefix on server-only secrets, exposing them to the client bundle
  - Secrets inside console.log or error responses that end up in production logs

These pass type-checks and look correct in review. I built a static analysis tool that catches them automatically: https://github.com/prodlint/prodlint

It checks for these patterns plus related issues like missing auth on API routes, unvalidated server actions, and hallucinated imports. No LLM, just AST parsing + pattern matching, runs in under 100ms.

2 comments

AMARCOVECCHIO99

Reply
ctmnt  4 days ago

Just use gitleaks or trufflehog?

  • AMARCOVECCHIO99  4 days ago

    gitleaks and trufflehog are great for scanning git history for leaked secrets but that's one of 52 rules. prodlint catches the structural patterns AI coding tools specifically create: hallucinated npm packages that don't exist, server actions with no auth or validation, NEXT_PUBLIC_ on server-only env vars, missing rate limiting, empty catch blocks, and more. It's closer to a vibe-coding-aware ESLint than a secrets scanner.