Error
Found an API key or service credential in the code.
Why this matters
API keys grant access to paid services. Once committed, keys stay in git history where attackers can find them. Leaked keys lead to unauthorized access, financial charges, or service abuse.
Detected patterns
Triggers on:
- AWS Access Key IDs (
AKIA...) - AWS Secret Access Keys
- Google API Keys (
AIza...) - GCP Service Account JSON
- Stripe API Keys (
sk_live_...,pk_live_...) - SendGrid API Keys (
SG....) - Twilio API Keys (
SK...) - Mailgun API Keys (
key-...) - Heroku API Keys
- Azure Storage Account Keys
- Generic secret/api_key assignments
How to fix
Remove the key from code immediately.
Use environment variables:
apiKey := os.Getenv("SERVICE_API_KEY")Use a secret management service:
- AWS Secrets Manager
- HashiCorp Vault
- GCP Secret Manager
- Azure Key Vault
- 1Password Secrets Automation
Rotate the key. If it was ever committed, treat it as compromised.
Configuration
Allow list for test keys or false positives:
[validators.secrets]
allow_list = [
"AKIAIOSFODNN7EXAMPLE", # AWS example key from docs
"test_.*", # Regex for test keys
]Disable a pattern:
[validators.secrets]
disabled_patterns = ["generic-secret"] # High false positive patternRelated
Hook output
When this error is triggered, klaudiush writes JSON to stdout:
permissionDecisionReason (shown to Claude):
[SEC001] Potential secrets detected: API key found in code. Remove API key and use environment variables or secret management.
systemMessage (shown to user): Formatted error with fix hint and reference URL.
additionalContext (behavioral guidance):
Automated klaudiush validation check. Fix the reported errors and retry the same command.