What does 'exposed secret' mean?

Dotvault has spotted a value that looks like an API key or token — matching known patterns from Stripe, GitHub, AWS, and similar — in a file that’s tracked by git and not in .gitignore. The fix is almost always one of two things: add the file to .gitignore, or rotate the secret. Probably both, if it’s already been pushed.