The API Key Cursor Just Wrote Into Your Code Is Already in Git History

TL;DR AI coding assistants hardcode API keys, tokens, and credentials directly into source files more often than you'd think Once committed, that secret lives in git history even after you delete it from the file Fix: scan with gitleaks before pushing, and check your AI isn't skipping env vars I was doing a quick review of a side project last month when I spotted it. Right there in config.js , sitting in plain text: const OPENAI_KEY = "sk-proj-..." . The developer had asked their AI assistant to add an OpenAI integration, reviewed the output, tested it, and shipped it. The key worked, so they moved on. It had been in the repository for three months. Three months of git history, three months of anyone who cloned the repo having access to it. The key had been rotated by the time I found it. But rotating a key doesn't fix the history. The Vulnerable Pattern This is what AI assistants generate when you ask them to "add OpenAI to this project": // CWE-798: Use of Hard-coded Credentials cons