Docs / Controls / NC-SECRET-001
NC-SECRET-001

No secrets in env/config files

๐Ÿ”ด Critical ๐Ÿ”Œ Plugin Expanded ๐Ÿ“Š Contributes to expanded score

What this checks

Regex-scans ~/.env, .envrc, and common config files in the home directory for API key and secret patterns including OpenAI keys (sk-...), Anthropic keys (sk-ant-...), GitHub tokens, AWS credentials, Slack tokens, and generic high-entropy secrets. Files are read locally and results are never transmitted.

Why it matters

Hardcoded credentials in config files is the most common cause of API key compromise. Keys committed to git, synced via iCloud, or sitting in world-readable files are routinely harvested by automated scanners. A single exposed key can result in significant unexpected cloud charges, data exfiltration, or account takeover.

How to fix it

Move secrets to a dedicated manager or environment injection

Option A System keychain (macOS):

# Store:
security add-generic-password -a "$USER" -s "OPENAI_API_KEY" -w "sk-..."

# Retrieve at runtime (add to ~/.zshrc):
export OPENAI_API_KEY=$(security find-generic-password -a "$USER" -s "OPENAI_API_KEY" -w)

Option B Use a secrets manager:

1Password CLI, Bitwarden CLI, HashiCorp Vault, or AWS Secrets Manager for team setups.

Option C Restrict file permissions if you must use .env:

chmod 600 ~/.env   # Only your user can read it

If a key has been exposed rotate it immediately:

Don't just remove it from the file. Treat any key that appeared in a config file as compromised. Rotate it in the provider's dashboard before removing from the file.

Technical details

FieldValue
Control IDNC-SECRET-001
DomainSECRETS
SeverityCritical
StatusExpanded (Plugin only)
Data sourceFilesystem scan ~/.env, .envrc, config files (read-only)
ModeMode 2 (System-level requires plugin expanded mode)
Introduced inLibrary v0.2.0
OWASP LLM 2025LLM02: Sensitive Information Disclosure

False positive notes

Template or placeholder values (e.g. sk-your-key-here) will not match. Known false-positive patterns are excluded from the regex set. If a legitimate secret-looking value is flagged and is not actually a secret, exclude this control with a reason.

Suppress this finding

clawvitals exclude NC-SECRET-001 reason "value is a placeholder, not a real key"
โ† NC-NET-001 NC-SECRET-002 โ†’