🔒 Hardcoded API Key Exposure in arubis/railsgoat-vulnerability-demo Repository

A critical security vulnerability has been identified in the GitHub repository `arubis/railsgoat-vulnerability-demo`. The automated security scanner RSOLV detected a hardcoded, sensitive API key within the codebase, classified as a Sensitive Data Exposure (CWE-798, OWASP A07:2021). The vulnerability is located in the file `config/initializers/key.rb` at line 16, where a static key string `"123456789101112123456789101112123456789101112"` is defined. This practice of embedding secrets directly in source code poses a severe risk, as it can lead to unauthorized access and compromise of the application if the code is exposed, such as in a public repository. The finding was automatically generated on March 4, 2026, and the repository maintainers are advised to review and remediate the issue by removing the hardcoded secret and implementing secure secret management practices, such as using environment variables or a dedicated secrets manager.