New
Introducing React Doctor for Enterprise
Menu
What Is React Doctor?
Quickstart
CLI to CI
How to Fix Issues
GitHub Actions Setup
Updating CI
Other CI Providers
Migrating to CI v2
Config Files
ESLint & oxlint Plugins
CLI Reference
GitHub Action Reference
Node.js API
Changelog
Modified MIT License
Terms of Service
Privacy Policy
Data Use
Security
Support
Rules reference

react-doctor/key-lifecycle-risk

A private key or release credential committed inline to the repo is exposed in git history and must be rotated and revoked.

  • Category: Security
  • Severity: error
  • Source: oxlint-plugin-react-doctor
  • Framework: global
  • Enabled when: any scanned text/config/secret file except test and documentation/markdown (.md/.mdx) paths

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires when the file contains a PEM private-key header (-----BEGIN [RSA|EC|OPENSSH|DSA ]PRIVATE KEY-----) followed by a real base64 body of ≥38 chars, or a release-key NAME assigned an inline literal — SSH_PRIVATE_KEY/GPG_PRIVATE_KEY/DEPLOY_KEY/SIGNING_KEY set to a '…' string of ≥16 chars. FALSE POSITIVE: the PEM header is a placeholder with no/short body, is preceded within ~40 chars by placeholder/example/sample/dummy/fake, or is a truncated docs sample (a ... ellipsis appears early in the body) — all excluded — and a key-shaped env NAME that merely references a secret store (no inline literal value) is not flagged, because a name alone is the correct way to point at a secret.

Fix prompt

Use this once validation confirms the diagnostic is real.

Remove the private key or inline credential from source and purge it from git history (for example git filter-repo), then rotate and revoke it now, because the history is already compromised. Load key material at runtime from a secrets manager or CI secret store referenced by name only, prefer short-lived scoped deploy credentials, and document the rotation, expiry, and revocation procedure for any long-lived release or signing key.