# Use of Hard-coded Credentials (CWE-798)

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

**Stack:** Docker

- Prevalence: Hoch Häufig ausgenutzt
- Impact: Kritisch 6 Regeln mit kritischem Schweregrad
- Prevention: Dokumentiert 11 Fix-Beispiele

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect.

## Prevention

Präventionsstrategien für Hardcoded Credentials basierend auf 1 Shoulder-Erkennungsregeln.

### Docker

Use BuildKit secrets or runtime environment variables instead of hardcoded credentials

## Warning Signs

- [CRITICAL] Dockerfile contains ...: ...
- [CRITICAL] hardcoded secrets in ENV/ARG and piping curl/wget to shell

## Consequences

- Privilegien erlangen
- Schutzmechanismus umgehen

## Mitigations

- Anmeldedaten außerhalb des Quellcodes speichern
- Umgebungsvariablen oder sichere Credential-Stores nutzen
- Geeignete Verfahren zur Schlüsselverwaltung umsetzen

## Detection

- Total rules: 11
- Critical: 6
- Languages: python, dockerfile, go, javascript, typescript, yaml

## Rules by Language

### Dockerfile (1 rules)

- **Docker Secrets and Security Best Practices** [CRITICAL]: Detects hardcoded secrets in ENV/ARG and piping curl/wget to shell.
  - Remediation: Use BuildKit secrets instead of hardcoding credentials.

```dockerfile
RUN --mount=type=secret,id=token \
    cat /run/secrets/token
```

Learn more: https://shoulder.dev/learn/docker/cwe-798/secrets-security