Sensitive information such as passwords or API keys should be stored safely especially if the constant is made available for use in the client. The alternative would be to store sensitive data as encrypted in an entity with no access rules.
To determine if a constant is sensitive ACR checks if the constant name contains a sensitive keyword such as password or key. The list of sensitive keywords is configurable e.g. “password,key“. Not case sensitive.
Noncompliant example:
Compliant example:
Sensitive information is stored in the database or in some other way