Back to all errors

SEC002

SEC

Hardcoded password detected

Error

A hardcoded password was found in the code.

Why this matters

Anyone with repository access can see passwords stored in code. Git history preserves them even after you delete them. Hardcoded passwords also tend to get reused across systems, so one leak can compromise several services.

Detected patterns

Patterns that trigger this error:

password = "secret123"
passwd: 'mypassword'
pwd='admin123'

How to fix

  1. Never hardcode passwords.

  2. Read them from environment variables:

    dbPassword := os.Getenv("DB_PASSWORD")

  3. Store them in configuration files excluded from git:

    # .env (in .gitignore)
DB_PASSWORD=secure_password_here

  4. Inject secrets at runtime through Kubernetes Secrets, Docker secrets, or CI/CD secret variables.

Configuration

Allow test passwords:

[validators.secrets]
allow_list = [
    "password.*test",
    "password.*example",
]

Disable the password pattern entirely:

[validators.secrets]
disabled_patterns = ["generic-password"]
  • SEC001 -- API key detected
  • SEC005 -- Connection string detected

Hook output

When this error is triggered, klaudiush writes JSON to stdout:

permissionDecisionReason (shown to Claude): [SEC002] Potential secrets detected: hardcoded password found in code. Remove hardcoded password and use secret management.

systemMessage (shown to user): Formatted error with fix hint and reference URL.

additionalContext (behavioral guidance): Automated klaudiush validation check. Fix the reported errors and retry the same command.

© 2026 Smykla Skalski Labs