MB-R097
API keys, tokens, private keys, passwords, and payment credentials must not be hardcoded in PHP, XML, JavaScript, templates, or sample configuration files. Hardcoded secrets are difficult to rotate and often leak through repositories, artifacts, or error output. Use `env.php`, environment variables, or a secret manager with least-privilege access and rotation support.
Hardcoded secrets in PHP, XML, JavaScript, templates, or sample files are easy to leak through Git, build artifacts, screenshots, or error output. They are also difficult to rotate because the value is mixed into application code.
Secrets should be provided through environment configuration or a secret manager so access is limited, rotation is practical, and code can be shared safely.
grep -RIE "(sk_live_|api_key|secret|password|private_key|token)" app/code app/design config 2>/dev/null
# Use a secret scanner when available
git secrets --scan
trufflehog filesystem .
private $apiKey = "sk_live_real_secret";
# Secret hardcoded in module → FAIL
$apiKey = $this->scopeConfig->getValue("payment/provider/api_key");
# Secret sourced from protected config/secret storage → PASS