LintMyAI

no-placeholder-credentials

FreeSecurity

Disallow placeholder credential strings commonly left by AI assistants

no-placeholder-credentials

Disallow placeholder credential strings commonly left by AI assistants

Category: Security | Tier: Free

Why This Matters

AI inserts placeholder strings like "your-api-key-here" or "changeme" as configuration values. These placeholders often ship to production unchanged because they do not cause build errors, leaving your system open to unauthorized access.

Bad Code

// Placeholder credentials left in by AI
const config = {
  password: 'changeme',
  apiKey: 'your-api-key-here',
  secret: 'TODO: replace with real secret',
};

Good Code

// Require real credentials from environment
const config = {
  password: process.env.DB_PASSWORD,
  apiKey: process.env.API_KEY,
  secret: process.env.APP_SECRET,
};

Configuration

This rule has no configuration options. It is enabled by default in lintmyai:recommended.