Security · May 2025

5 Secrets Every AI-Built App Accidentally Leaks to GitHub

From .env files to hardcoded Stripe keys — these are the most common credentials we find in AI-built repos, and how to fix each one without breaking your deploy.

When you build with AI tools, you move fast. You paste in API keys to get things working. You let the AI scaffold your config files. And sometimes — more often than you'd think — those secrets end up committed to GitHub. Once they're there, even for a minute, they're compromised.

Here are the five most common secrets we find when scanning AI-built repos, and what to do about each.

01

The committed .env file

The AI generated a .env file with working credentials so you could test locally. You committed it "just to test something" and forgot. This is the single most common finding. Fix: add .env to .gitignore immediately, rotate any credentials that were exposed, and use .env.example with placeholder values for the repo.

02

Hardcoded Stripe publishable + secret keys

The AI built your payment flow inline. The publishable key is fine to expose — the secret key absolutely is not. We regularly find STRIPE_SECRET_KEY directly in source files. Fix: move it to an environment variable, rotate the key in your Stripe dashboard.

03

Database connection strings

DATABASE_URL with username, password, and host committed directly. Anyone with repo access — including GitHub itself — can now connect to your database. Fix: environment variable, rotate the database password, consider restricting DB access by IP.

04

Third-party API keys (OpenAI, Resend, Twilio)

The AI used your OpenAI API key inline to demonstrate the feature. These keys rack up charges when stolen. Attackers scan GitHub for them constantly. Fix: environment variables for all third-party keys, enable usage limits in each provider's dashboard.

05

JWT secrets and session tokens

JWT_SECRET hardcoded as "supersecret" or a real value the AI generated inline. Anyone who knows it can forge auth tokens for any user in your app. Fix: generate a proper random 32-byte secret, store it as an env var, rotate immediately if exposed.

The one-line fix

Every secret above has the same solution: move it to an environment variable and rotate the exposed credential. VibeProd detects all of these patterns automatically and opens a PR that moves them to env vars, adds them to .gitignore, and generates a .env.example file so your setup docs don't break.

Scan your repo for exposed secrets

Free scan, no account needed, results in under 2 minutes.

Scan your repo free →