demo(03-hardcoded-secret): 03 — Hardcoded API key in source

[EricCogen]

03 — Hardcoded API key in source

Expected verdict: ❌ Fails — GauntletCI should fire GCI0012 (hardcoded secret).

What changed

src/OrderService/Program.cs adds a PostConfigure<StripeOptions> block
that hardcodes the API key into source:

builder.Services.PostConfigure<StripeOptions>(opts =>
{
    opts.ApiKey = "gci_demo_7f3a2e9c4b8d6f1a5e2c9b3d4a8e7f6c";
});

The literal uses this repo's gci_demo_{hex} convention so it doesn't
trigger any provider-specific scanner — but GauntletCI's GCI0012
heuristic recognises the credential-shaped string assigned to a
property named ApiKey and flags it.

Why this is risky

• Anything checked into source is permanently leaked, even if you remove
  it later (git history is forever).
• Static analyzers like GitHub secret scanning would block real Stripe
  keys (sk_live_…, pk_live_…) at push time, but a maintainer can
  bypass that. GauntletCI catches it first.

What GauntletCI catches

GCI0012 Hardcoded secret — credential-shaped literal assigned to an
options property named ApiKey.

[github-actions]

GauntletCI found issues in this PR. See inline comments for details.

[github-actions]

GCI0012 — Security Risk

Possible hardcoded credential ('apikey' assigned a string literal).

Evidence:

Line 26: opts.ApiKey = "gci_demo_7f3a2e9c4b8d6f1a5e2c9b3d4a8e7f6c";

⚠️ Why it matters: Credentials in source code are exposed via version control and are easily compromised.

💡 Suggested action: Use a secrets manager (Azure Key Vault, AWS Secrets Manager) or environment variables. Never hardcode credentials.

_{Confidence: High | Severity: Block}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0653f5e679

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove hardcoded Stripe API key from source

Assigning a credential-shaped literal directly to StripeOptions.ApiKey hardcodes a secret in git history and also overrides any environment-provided key for every run, so all environments using this build will use the same exposed credential. This is a security regression and operational risk (rotation and per-environment isolation stop working) introduced by the new PostConfigure<StripeOptions> block.

Useful? React with 👍 / 👎.