Problem
internal/status/status.go sets the Healthchecks API key directly in code when fetching cluster status.
For a public CLI repo, embedding service credentials in source makes key rotation harder and exposes access to anyone with the repository. Even if the current key is read-only or intentionally scoped, it should be treated as leaked once committed.
Suggested fix
- Revoke/rotate the committed Healthchecks API key.
- Load the key from an environment variable, config file, or backend endpoint instead of hardcoding it in the CLI.
- Make the CLI fail with a clear message when status data requires credentials that are not configured.
- Add a lightweight secret scanning check in CI.
Relevant file
internal/status/status.go
Problem
internal/status/status.gosets the Healthchecks API key directly in code when fetching cluster status.For a public CLI repo, embedding service credentials in source makes key rotation harder and exposes access to anyone with the repository. Even if the current key is read-only or intentionally scoped, it should be treated as leaked once committed.
Suggested fix
Relevant file
internal/status/status.go