If an API key is required, provide a link to the service's documentation in a comment above the variable. How to Use It
A developer uses a real API key as a "placeholder" in .env.sample and commits it. Use automated secret scanning (e.g., GitLeaks, TruffleHog) on every commit. Flag any commit that looks like sk_live_ , password= , or AKIA (AWS keys). .env.sample