A Codespaces secret literally named 'PASSWORD' (or PASSWORD_1, PASSWORD_PROD, etc.) is a maintenance hazard: rotating it requires updating every dependent devcontainer because the name conveys nothing about its purpose. Use brand-specific names (NPM_REGISTRY_TOKEN, AZURE_AD_CLIENT_SECRET, GITHUB_PAT_FOR_PRIVATE_PKGS). Generic password names are also a red flag for credential reuse across services.
1. Go to Repository or Organization Settings -> Secrets and variables -> Codespaces. 2. Rename PASSWORD / PASSWORD_* secrets to reflect their specific purpose. 3. Update devcontainer.json env mappings.
{
"target": "GHCodespacesSecret",
"if": {
"allOf": [
{
"resource": "GHCodespacesSecret",
"property": "Name",
"operator": "notMatch",
"value": "^PASSWORD(_.*)?$"
}
]
},
"then": {
"effect": "Audit"
}
}Copyright © DevOps Shield. All Rights Reserved. Privacy Policy | Cookie Policy | Terms and Conditions | v1.0.2