FinishKitFinishKit/Glossary
Back to FinishKit
security

Secret Exposure

Any case where a sensitive credential (API key, database password, private key) is visible somewhere it should not be, such as client bundles, git history, or server logs.

Also known ascredential leakexposed secret

What is secret exposure?

A secret is a credential that grants access to something dangerous: a database, a payment provider, a cloud account. Exposure is any case where that secret ends up visible to someone who should not see it.

Where AI-built apps leak secrets

  1. Client bundles: variables prefixed with NEXT_PUBLIC_ are inlined into JavaScript any visitor can read. Never put a real secret behind that prefix.
  2. Committed .env files: .env, .env.local, .env.production accidentally committed to git history.
  3. Hardcoded fallbacks: const KEY = process.env.STRIPE_KEY || 'sk_live_real_key'. The fallback ends up in the repo.
  4. Logs: logging the request body of a signup or webhook can dump tokens into your log stream.
  5. Error messages: throwing an error that interpolates a secret ships that secret to whatever error tracker you use.

What to do if a secret leaks

  1. Rotate the secret immediately. Rewriting git history does not help because it may be cached elsewhere.
  2. Audit access: check for unusual API calls, invoices, login attempts in the window before the leak was found.
  3. Add a pre-commit hook (gitleaks, trufflehog) to catch future leaks.

Detection

FinishKit scans detect the common exposure patterns automatically and flag them as critical findings.

See also

Ready to ship?

Run a FinishKit scan and get a prioritized Finish Plan in minutes.

Scan your app