Committed AI-Generated Secrets

AI coding tools are good at producing complete integration snippets. That is also the failure mode: a route handler, config file, or example implementation lands with a real OpenAI, Anthropic, Stripe, AWS, GitHub, SendGrid, Mailgun, Google, Slack, Twilio, private-key, or Supabase service-role credential committed into source.

The repo check runs against the authorized GitHub tarball already loaded for code scans. It applies FixVibe's versioned secret pattern manifest, decodes Supabase JWTs to ignore public anon tokens and escalate service-role tokens, and adds a conservative high-entropy assignment rule for variables named like API keys, secrets, tokens, passwords, credentials, or private keys.

A committed secret remains exposed even if it never reaches the deployed JavaScript bundle. Anyone with repo access, CI log access, fork history, or a cached public clone may be able to reuse the credential. The highest-risk findings are live provider secrets, private keys, GitHub tokens, payment keys, and Supabase service-role credentials that bypass normal application authorization.

Rotate or revoke the credential at the provider, remove it from current source, decide whether shared git history needs purging, and move runtime access to server-only environment variables or a managed secret store. Add Gitleaks, TruffleHog, GitHub secret scanning, or equivalent CI enforcement so future AI-generated snippets fail before merge.