⚡
AI Fix Prompts for Scoop Riding
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
21
Total Prompts
20
Critical (P0)
1
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
CRITICAL
⚡ quick-fix
#1
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/create-shop-review.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/create-shop-review.tsx
**Line**: 56
**Severity**: CRITICAL
**Current code around the issue:**
```
51 | const createReviewMutation = trpc.shopReviews.create.useMutation(
52 | mutationOpts({
53 | onSuccess: () => {
54 | trpcUtils.shopReviews.list.invalidate();
55 | if (Platform.OS !== "web") {
>>> 56 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
57 | }
58 | router.back();
59 | },
60 | onError: (error: { message: string }) => {
61 | Alert.alert("오류", error.message || "리뷰 작성에 실패했습니다.");
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Generated by Repobility's multi-pass static-analysis pipeline (https://repobility.com)
CRITICAL
⚡ quick-fix
#2
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/(tabs)/garage.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/(tabs)/garage.tsx
**Line**: 195
**Severity**: CRITICAL
**Current code around the issue:**
```
190 |
191 | await trpcUtils.scooters.list.invalidate();
192 | setIsModalVisible(false);
193 |
194 | if (Platform.OS !== "web") {
>>> 195 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
196 | }
197 | } catch (error) {
198 | Alert.alert(t("common.error"), t("settings.scooters.saveError"));
199 | } finally {
200 | setIsSaving(false);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#3
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/(tabs)/garage.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/(tabs)/garage.tsx
**Line**: 222
**Severity**: CRITICAL
**Current code around the issue:**
```
217 | onPress: async () => {
218 | try {
219 | await deleteMutation.mutateAsync({ id: scooter.id });
220 | await trpcUtils.scooters.list.invalidate();
221 | if (Platform.OS !== "web") {
>>> 222 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
223 | }
224 | } catch (error) {
225 | Alert.alert(t("common.error"), t("settings.scooters.deleteError"));
226 | }
227 | },
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#4
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/(tabs)/history.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/(tabs)/history.tsx
**Line**: 109
**Severity**: CRITICAL
**Current code around the issue:**
```
104 |
105 | const success = await saveAndShareGpx(trackData, filename);
106 |
107 | if (success) {
108 | if (Platform.OS !== "web") {
>>> 109 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
110 | }
111 | } else {
112 | Alert.alert(t("history.alerts.exportFailed"), t("history.alerts.exportFailedMessage"));
113 | }
114 | } catch (error) {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#5
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/(tabs)/index.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/(tabs)/index.tsx
**Line**: 244
**Severity**: CRITICAL
**Current code around the issue:**
```
239 | loadStats();
240 |
241 | if (Platform.OS !== "web") {
242 | Haptics.notificationAsync(
243 | syncResult.failed > 0
>>> 244 | ? Haptics.NotificationFeedbackType.Warning
245 | : Haptics.NotificationFeedbackType.Success
246 | );
247 | }
248 | } catch (error) {
249 | console.error("[HomeScreen] Manual sync error:", error);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#6
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/(tabs)/index.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/(tabs)/index.tsx
**Line**: 245
**Severity**: CRITICAL
**Current code around the issue:**
```
240 |
241 | if (Platform.OS !== "web") {
242 | Haptics.notificationAsync(
243 | syncResult.failed > 0
244 | ? Haptics.NotificationFeedbackType.Warning
>>> 245 | : Haptics.NotificationFeedbackType.Success
246 | );
247 | }
248 | } catch (error) {
249 | console.error("[HomeScreen] Manual sync error:", error);
250 | } finally {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#7
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/admin-dashboard.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/admin-dashboard.tsx
**Line**: 122
**Severity**: CRITICAL
**Current code around the issue:**
```
117 | await updateBugStatusMutation.mutateAsync({
118 | id: bugId,
119 | status: newStatus,
120 | });
121 | if (Platform.OS !== "web") {
>>> 122 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
123 | }
124 | refetchBugReports();
125 | } catch (error) {
126 | Alert.alert("오류", "상태 업데이트에 실패했습니다.");
127 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#8
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/ai-report.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/ai-report.tsx
**Line**: 177
**Severity**: CRITICAL
**Current code around the issue:**
```
172 | avgSpeed: stats.avgSpeed,
173 | maxSpeed: stats.maxSpeed,
174 | });
175 |
176 | if (Platform.OS !== "web") {
>>> 177 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
178 | }
179 | } else {
180 | Alert.alert(t('common.error'), result.error || t('aiReport.generateError'));
181 | }
182 | } catch (error: any) {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#9
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/battery-health.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/battery-health.tsx
**Line**: 62
**Severity**: CRITICAL
**Current code around the issue:**
```
57 | const generateMutation = trpc.batteryHealth.generateReport.useMutation(mutationOpts({
58 | onSuccess: (data: any) => {
59 | setReport(data as HealthReport);
60 | refetch();
61 | setGenerating(false);
>>> 62 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
63 | },
64 | onError: (error: { message: string }) => {
65 | setGenerating(false);
66 | Alert.alert("오류", error.message);
67 | },
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility (the analyzer behind this table) · https://repobility.com
CRITICAL
⚡ quick-fix
#10
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/bug-report.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/bug-report.tsx
**Line**: 92
**Severity**: CRITICAL
**Current code around the issue:**
```
87 | setForm(prev => ({
88 | ...prev,
89 | screenshots: [...prev.screenshots, uploadedUrl],
90 | }));
91 | if (Platform.OS !== "web") {
>>> 92 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
93 | }
94 | } else {
95 | Alert.alert("오류", "이미지 업로드에 실패했습니다.");
96 | }
97 | setUploadingImage(false);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#11
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/bug-report.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/bug-report.tsx
**Line**: 132
**Severity**: CRITICAL
**Current code around the issue:**
```
127 | setForm(prev => ({
128 | ...prev,
129 | screenshots: [...prev.screenshots, uploadedUrl],
130 | }));
131 | if (Platform.OS !== "web") {
>>> 132 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
133 | }
134 | } else {
135 | Alert.alert("오류", "이미지 업로드에 실패했습니다.");
136 | }
137 | setUploadingImage(false);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#12
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/bug-report.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/bug-report.tsx
**Line**: 179
**Severity**: CRITICAL
**Current code around the issue:**
```
174 | appVersion: CURRENT_APP_VERSION,
175 | deviceInfo,
176 | });
177 |
178 | if (Platform.OS !== "web") {
>>> 179 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
180 | }
181 |
182 | Alert.alert(
183 | "제출 완료",
184 | "버그 리포트가 성공적으로 제출되었습니다.\n빠른 시일 내에 확인하겠습니다.",
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#13
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/challenge-detail.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/challenge-detail.tsx
**Line**: 45
**Severity**: CRITICAL
**Current code around the issue:**
```
40 | onSuccess: () => {
41 | utils.challenges.list.invalidate();
42 | utils.challenges.mine.invalidate();
43 | refetchLeaderboard();
44 | if (Platform.OS !== "web") {
>>> 45 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
46 | }
47 | },
48 | }));
49 |
50 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#14
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/challenge-detail.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/challenge-detail.tsx
**Line**: 54
**Severity**: CRITICAL
**Current code around the issue:**
```
49 |
50 |
51 | const inviteMutation = trpc.challenges.invite.useMutation(mutationOpts({
52 | onSuccess: () => {
53 | if (Platform.OS !== "web") {
>>> 54 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
55 | }
56 | setShowInviteModal(false);
57 | },
58 | }));
59 |
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#15
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/challenges.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/challenges.tsx
**Line**: 50
**Severity**: CRITICAL
**Current code around the issue:**
```
45 | const joinMutation = trpc.challenges.join.useMutation(mutationOpts({
46 | onSuccess: () => {
47 | utils.challenges.list.invalidate();
48 | utils.challenges.mine.invalidate();
49 | if (Platform.OS !== "web") {
>>> 50 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
51 | }
52 | },
53 | }));
54 |
55 | useFocusEffect(
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#16
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/charging-record.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/charging-record.tsx
**Line**: 97
**Severity**: CRITICAL
**Current code around the issue:**
```
92 | chargeType,
93 | notes: notes || undefined,
94 | });
95 |
96 | if (Platform.OS !== "web") {
>>> 97 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
98 | }
99 |
100 | Alert.alert("완료", "충전 기록이 저장되었습니다.", [
101 | { text: "확인", onPress: () => router.back() },
102 | ]);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#17
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/create-challenge.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/create-challenge.tsx
**Line**: 41
**Severity**: CRITICAL
**Current code around the issue:**
```
36 | const createMutation = trpc.challenges.create.useMutation(mutationOpts({
37 | onSuccess: () => {
38 | utils.challenges.list.invalidate();
39 | utils.challenges.mine.invalidate();
40 | if (Platform.OS !== "web") {
>>> 41 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
42 | }
43 | router.back();
44 | },
45 | onError: (error: { message: string }) => {
46 | Alert.alert("오류", error.message || "챌린지 생성에 실패했습니다.");
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility · severity-and-effort ranking · https://repobility.com
CRITICAL
⚡ quick-fix
#18
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/create-post.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/create-post.tsx
**Line**: 121
**Severity**: CRITICAL
**Current code around the issue:**
```
116 | filename: `post_image_${Date.now()}.jpg`,
117 | contentType: "image/jpeg",
118 | });
119 | setImages((prev) => [...prev, response.url]);
120 | if (Platform.OS !== "web") {
>>> 121 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
122 | }
123 | } catch (error) {
124 | Alert.alert("오류", "이미지 업로드에 실패했습니다.");
125 | } finally {
126 | setIsUploadingImage(false);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#19
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/create-post.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/create-post.tsx
**Line**: 163
**Severity**: CRITICAL
**Current code around the issue:**
```
158 | filename: `post_image_${Date.now()}.jpg`,
159 | contentType: "image/jpeg",
160 | });
161 | setImages((prev) => [...prev, response.url]);
162 | if (Platform.OS !== "web") {
>>> 163 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
164 | }
165 | } catch (error) {
166 | Alert.alert("오류", "이미지 업로드에 실패했습니다.");
167 | } finally {
168 | setIsUploadingImage(false);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#20
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/create-stamp.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'pinetreeB__scoop-riding'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: app/create-stamp.tsx
**Line**: 43
**Severity**: CRITICAL
**Current code around the issue:**
```
38 |
39 | const uploadMutation = trpc.storage.uploadImage.useMutation();
40 | const createMutation = trpc.mapStamps.create.useMutation(mutationOpts({
41 | onSuccess: () => {
42 | if (Platform.OS !== "web") {
>>> 43 | Haptics.notificationAsync(Haptics.NotificationFeedbackType.Success);
44 | }
45 | router.back();
46 | },
47 | onError: (err: { message: string }) => {
48 | Alert.alert(t("common.error"), err.message);
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚙ moderate
#21
Fix 6 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
app/(tabs)/assistant.tsx, app/fuel.tsx, app/route-preview.tsx, app/search-destination.tsxPrompt (copy this into your AI assistant)
Static analysis found 6 security issues in 'pinetreeB__scoop-riding': - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/(tabs)/assistant.tsx:87 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/(tabs)/assistant.tsx:135 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/fuel.tsx:103 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/route-preview.tsx:178 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/search-destination.tsx:203 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/search-destination.tsx:236 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule