netsuite-owasp-secure-coding

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the document for literal, high-entropy credentials and applied the provided rules.

Flagged:

• const API_KEY = 'sk-prod-a8f3k29d5e7b1c4f6' — looks like a real/high-entropy API key (sk- prefixed, random-like characters). This is a direct hardcoded secret in a "BAD" example and meets the inclusion criteria.

Ignored (not flagged) with reasons:

• 'sk-default-dev-key-abc123' — clearly a default/dev fallback string (includes "default" and "abc123"); treated as a low-security/dev placeholder per the "What to ignore" guidance.
• 'SuperSecretKey2024!' — readable/example encryption key in a sample; low entropy/obvious placeholder, so ignored.
• 'sessionToken=abc123' and other short/simple tokens (e.g., "abc123", "123-45-6789") — low-entropy examples or test values; ignored.
• Truncated JWT-like value 'eyJ...…' — redacted/truncated; ignored per rules on truncated/redacted values.

Therefore I report a single real high-entropy secret found (the sk-prod key).