KR-MCP-002: Hardcoded Secrets in Kiro MCP env - Kiro MCP

Summary

• Rule ID: KR-MCP-002
• Severity: MEDIUM
• Category: Kiro MCP
• Normative Level: SHOULD
• Auto-Fix: No
• Verified On: 2026-03-02

Applicability

• Tool: kiro
• Version Range: unspecified
• Spec Revision: unspecified

Evidence Sources

• https://kiro.dev/docs/mcp/configuration

Test Coverage Metadata

• Unit tests: true
• Fixture tests: true
• E2E tests: false

Examples

The following examples demonstrate what triggers this rule and how to fix it.

Invalid

{
  "mcpServers": {
    "server": {
      "command": "node",
      "env": {"API_KEY": "hardcoded-secret"}
    }
  }
}

Valid

{
  "mcpServers": {
    "server": {
      "command": "node",
      "env": {"API_KEY": "${API_KEY}"}
    }
  }
}