# `react-doctor/repository-secret-file`

A committed env file, credential, or token is exposed to anyone with repo access and must be rotated, even after you remove it.

- **Category:** Security
- **Severity:** error
- **Source:** oxlint-plugin-react-doctor
- **Framework:** global
- **Enabled when:** repository credential/config files only — .env* files, .npmrc, and *credential*/service-account/firebase-admin/google-or-gcp-service-account*.{json,env,pem,key}; redacted *.example/*.sample/*.template/*.dist/*.defaults and test paths skipped

## Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires only on committed credential/config FILES — any `.env*` file, `.npmrc`, or a `*credential(s)*`/`service-account`/`serviceAccount`/`firebase-admin`/`google-service-account`/`gcp-service-account*.{json,env,pem,key}` file — whose CONTENTS contain either a hard secret value (AWS `AKIA…`, `github_pat_`/`gh*_`, GitLab `glpat-`, Slack `xox*`, Stripe `sk_live/test_`, Anthropic `sk-ant-…`, npm token, SendGrid `SG.…`, a Slack/Discord webhook URL, `service_role`, a `-----BEGIN … PRIVATE KEY-----`, or a real `postgres://user:pass@host/` URL) or a public-env secret name. Redacted templates (`.env.example`/`.sample`/`.template`/`.dist`/`.defaults`, `*example|sample|template*` files) and test fixtures are exempt. FALSE POSITIVE: a placeholder/sample value the patterns still caught — though the DB-URL pattern already skips common `user:password@localhost` docker/compose placeholders, so a remaining hit is usually a real credential; verify the value is fake before suppressing.

## Fix prompt

Use this once validation confirms the diagnostic is real.

Delete the file from the working tree, purge it from git history (for example `git filter-repo`), and add its path to `.gitignore`. Rotate every credential it held, because a committed secret is compromised even after removal. Keep only a redacted `*.example`/`*.template` checked in, and load real secrets at runtime from a secrets manager or an untracked local env file.