My credential rule reported 842 secrets in vercel/ai. The real count was 0.

Our no-hardcoded-credentials rule fired 842 times on vercel/ai. The peer plugin fired 380. I assumed we had better recall — until I sampled. 807 of the 'extra' findings were TypeScript union-type literals, error class names, and the string 'test'. The real number of hardcoded credentials was zero. Here's how a context-blind regex becomes a context-aware detector — and why AI assistants keep regenerating the exact strings that fool it.

Read Original

Related

Dev.to tutorial 1h ago

Building Agentic Workflows in Python

When a tool-calling loop earns its complexity over a single call or a scripted pipeline, the manual and SDK-provided agentic loops in Python, and the guardrails — validation, appro...