Secret vars crashing build

Hi,

My build is failing because of secret variables.

My app interacts with the Spotify API. I need to set secrets for both Spotify and NextAuth.

The vars were created on Netlify and marked as secret.

My code only references them through variables like below.

clientId: process.env.SPOTIFY_CLIENT_ID!,
clientSecret: process.env.SPOTIFY_CLIENT_SECRET!,
secret: process.env.NEXTAUTH_SECRET,

The error on the build is:
Secrets scanning found 97 instance(s) of secrets in build output or repo code.
Secret env var “SPOTIFY_CLIENT_SECRET”'s value detected

So what do I need to do for this to work?

This error means that somewhere in your code, the value of the variable is getting hardcoded, which might or might not be a security issue - depends on your setup. As for ignoring it, it’s documented here: Enhanced security with Secrets Controller | Netlify Docs

Hi hrishikesh,

Thanks for the response.

I am confident the value is not hard-coded in any of my files.

I have a few occurrences of process.env.SPOTIFY_CLIENT_SECRET and SPOTIFY_CLIENT_ID, but only as variable names.

I did an experiment here and built it locally. Then I searched for the value of those keys in the .next folder and found 8 occurrences of the value in 6 files. However I do not know if those files are accessible publicly. These are the files:

  • .next\required-server-files.json

  • .next\server\app\api\auth[…nextauth]\route.js

  • .next\standalone.env

  • .next\standalone\server.js

  • .next\standalone.next\required-server-files.json

  • .next\standalone.next\server\app\api\auth[…nextauth]\route.js

Do you know if these are accessible publicly?

And, if I use the ignore variables as they suggest, doesn’t it mean the values will make their way to those files above? What is the difference between using the ignore rules and not marking those vars as secret in the first place?

Those files aren’t accessible publicly so I believe ignoring should be fine thing to do. I however do not know (or think) it is expected for your process.env... calls to be replaced with their actual values. This usually happens for client-side JavaScript, but not for server-side JavaScript code that exists in .next folder.

Those are 2 different things. Marking them as secret or not would not make a difference in terms of is it actually safe if they get exposed.