no-secret

Detect hardcoded secrets in code.

Targeted pattern scope

This rule targets string literals and related literal-like values in source files.

What this rule reports

This rule reports values that match secret-like entropy checks or configured secret patterns.

Why this rule exists

Hardcoded credentials can leak through source control and build artifacts, creating serious security risk.

❌ Incorrect

const token = "SECRET_ABCD";

✅ Correct

const token = process.env.API_TOKEN;

Behavior and migration notes

This rule forwards options and behavior to eslint-plugin-no-secrets/no-secrets.

Lifecycle: Deprecated and frozen.
Deprecated since: v1.0.0
Available until: v2.0.0
Use instead: no-secrets/no-secrets
Additional recommendation: Prefer dedicated scanners such as Secretlint or detect-secrets.

Additional examples

const password = "p@ssw0rd-12345";
// ❌ likely reported by entropy/pattern checks

const password = process.env.APP_PASSWORD;
// ✅ preferred

ESLint flat config example

import etcMisc from "eslint-plugin-etc-misc";

export default [
 {
  plugins: { "etc-misc": etcMisc },
  rules: {
   "etc-misc/no-secret": "error",
  },
 },
];

When not to use it

Disable this rule only in sanitized fixture directories where false positives are unavoidable.

Package documentation

eslint-plugin-etc-misc README

Rule catalog ID: R038

Adoption resources

Start at warning level in CI, then move to error after cleanup.
Use focused codemods/autofix batches per package or directory.

Targeted pattern scope​

What this rule reports​

Why this rule exists​

❌ Incorrect​

✅ Correct​

Behavior and migration notes​

Additional examples​

ESLint flat config example​

When not to use it​

Package documentation​

Further reading​

Adoption resources​