Why auto-fixing secrets in CI doesn’t really work

[alvacurdy]

Hello,
I’ve been experimenting with automatically fixing hardcoded secrets in Python projects. The idea seemed straightforward at first:

Detect secrets in CI → replace them with environment variables → done.

From a technical standpoint, it works. You can reliably perform safe transformations using AST-based rewrites and keep everything deterministic. The problem is that people generally don’t like CI modifying their code.

Even when the changes are safe, it still feels uncomfortable. The main concerns I kept hearing were:

CI should remain read-only
Developers want visibility before changes are applied
Auto-fixing in CI feels like losing control of the codebase

After some reflection, I tend to agree. What seems to work better is separating concerns:

CI → detection only (fail the build if secrets are found)
Fixes → handled locally via pre-commit hooks or manual changes

This way, CI enforces the policy without directly altering the code.

Curious how others handle this—do you allow CI to auto-fix issues, or do you keep it strictly read-only?

[leoneeney]

Hello,
I’ve been experimenting with automatically fixing hardcoded secrets in Python projects. The idea seemed straightforward at first:

Detect secrets in CI → replace them with environment variables → done.

From a technical standpoint, it works. You can reliably perform safe transformations using AST-based rewrites and keep everything deterministic. The problem is that people generally don’t like CI modifying their code geometry dash.

Even when the changes are safe, it still feels uncomfortable. The main concerns I kept hearing were:

CI should remain read-only
Developers want visibility before changes are applied
Auto-fixing in CI feels like losing control of the codebase

After some reflection, I tend to agree. What seems to work better is separating concerns:

CI → detection only (fail the build if secrets are found)
Fixes → handled locally via pre-commit hooks or manual changes

This way, CI enforces the policy without directly altering the code.

Curious how others handle this—do you allow CI to auto-fix issues, or do you keep it strictly read-only?

I tend to keep CI read only as well. Auto fixes are great for local tooling, but having CI modify code can make builds harder to reason about and complicate auditing. A bot opening a PR with the proposed changes feels like a nicer middle ground.