=== How does this work?

While the noncompliant code example contains a hard-coded password, the
compliant solution retrieves the secret's value from its environment. This
allows to have an environment-dependent secret value and avoids storing the
password in the source code itself.

Depending on the application and its underlying infrastructure, how the secret
gets added to the environment might change.