Embedded Secrets¶
Rule ID: content-embedded-secrets
Detect potential API keys, tokens, and passwords in instruction files
| Severity | error (auto) |
| Autofix | llm |
| Since | v0.7.0 |
Research Basis¶
Detects potential API keys, tokens, and passwords in instruction files.
CLAUDE.md files are loaded into context every session. A hardcoded API key in an instruction file is exposed to every conversation, every collaborator, and potentially every model provider's logging infrastructure. This is CWE-798 (Use of Hard-coded Credentials), mapping to OWASP Top Ten 2021 A07.
References:
- CWE-798: Use of Hard-coded Credentials — Authoritative weakness enumeration
- OWASP Secrets Management Cheat Sheet
- Claude Code Security — Instruction files are loaded into context every session