Credentials

Are you commiting any credentials that don’t belong in the repository? Once committed, this data is difficult to remove again.

Never commit credentials like API keys, passwords, or tokens into your repository. Once they are in Git, they live forever in the history and can be very hard to remove. Worse, if the repo is public or shared, you may accidentally leak access to sensitive systems.

Take a Spring Boot application that needs to call a REST API. A common mistake is to hardcode the API key directly:

@RestController
public class WeatherController {
    private static final String API_KEY = "12345-SECRET-KEY";

    @GetMapping("/weather")
    public String getWeather() {
        return callApi("https://api.weather.com/data?key=" + API_KEY);
    }
}

This seems convenient, but it exposes secrets to everyone who can see your code. If the repo is cloned, forked, or shared, the secret is gone.

Instead, load secrets from configuration outside of your code, for example using application.properties or environment variables:

@RestController
public class WeatherController {

    @Value("${WEATHER_API_KEY}")
    private String apiKey;

    @GetMapping("/weather")
    public String getWeather() {
        return callApi("https://api.weather.com/data?key=" + apiKey);
    }
}

Then set the real value in your environment, deployment pipeline, or secret store. This way, no sensitive data is ever pushed to Git.

Rule of thumb: if you are about to commit a string that looks like a secret, stop. Move it to configuration. Every commit should be safe to share with the world.