Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect.
Prevalencia
Alta
Frecuentemente explotada
Impacto
Crítico
6 reglas de severidad crítica
Prevención
Documentada
11 ejemplos de corrección
2 Prevención
2 Prevención
Cómo corregir esta vulnerabilidad
Estrategias de prevención para Hardcoded Credentials basadas en 11 reglas de detección de Shoulder.
Python
Ver todo Python detalles →
Django Insecure SECRET_KEY
CRITICAL
Load SECRET_KEY from environment variables, never commit it to source control
# settings.py - SECRET_KEY = 'django-insecure-abc123def456' + import os + + SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
Hardcoded Credentials
HIGH
Store all credentials in environment variables or a secrets manager, never in code
- password = "super_secret_password" - api_key = "sk-abc123456789xyz" - db_password = "db_p@ssw0rd_2024" + import os + + password = os.environ['APP_PASSWORD'] + api_key = os.environ['API_KEY'] + db_password = os.environ['DB_PASSWORD']
Hardcoded Secrets / Credentials
HIGH
Load all secrets from environment variables or a secrets manager
- SECRET_KEY = 'django-insecure-abc123def456' - API_KEY = 'sk-proj-abc123456789' - DATABASE_PASSWORD = 'super_secret_123' + import os + + SECRET_KEY = os.environ['SECRET_KEY'] + API_KEY = os.environ['API_KEY'] + DATABASE_PASSWORD = os.environ['DB_PASSWORD']
Docker
Ver todo Docker detalles →
Docker Secrets and Security Best Practices
CRITICAL
Use BuildKit secrets or runtime environment variables instead of hardcoded credentials
- FROM node:24-alpine - ENV DATABASE_PASSWORD=supersecret123 - ARG API_KEY=sk_live_abc123 - WORKDIR /app + # syntax=docker/dockerfile:1 + FROM node:24-alpine + WORKDIR /app + RUN --mount=type=secret,id=db_pass \ + cat /run/secrets/db_pass > /dev/null COPY . .
Hardcoded Secrets in Source Code
CRITICAL
Load secrets from environment variables or a secrets manager instead of hardcoding
package main - const ( - APIKey = "sk-1234567890abcdefghijklmnop" - DBPassword = "superSecretPassword123" - ) - - func connectDB() (*sql.DB, error) { - connStr := "postgres://admin:superSecretPassword123@localhost:5432/db" + import "os" + + func connectDB() (*sql.DB, error) { + apiKey := os.Getenv("API_KEY") + if apiKey == "" { + log.Fatal("API_KEY not set") + } + dbPass := os.Getenv("DB_PASSWORD") + connStr := fmt.Sprintf("postgres://admin:%s@localhost:5432/db", dbPass) return sql.Open("postgres", connStr) }
JavaScript
Ver todo JavaScript detalles →
Hardcoded Secret in Environment Variable Fallback
HIGH
Never use hardcoded fallbacks for secrets; fail fast if environment variables are missing
- const JWT_SECRET = process.env.JWT_SECRET || 'my-insecure-secret-key'; + function getRequiredEnv(name) { + const value = process.env[name]; + if (!value) throw new Error(`Required env var ${name} is not set`); + return value; + } + const JWT_SECRET = getRequiredEnv('JWT_SECRET');
Hardcoded Credentials
HIGH
Load credentials from environment variables instead of hardcoding in source code
- const connection = mysql.createConnection({ - host: 'localhost', - user: 'root', - password: 'admin123', - database: 'myapp' + require('dotenv').config(); + const connection = mysql.createConnection({ + host: process.env.DB_HOST, + user: process.env.DB_USER, + password: process.env.DB_PASSWORD, + database: process.env.DB_NAME });
Hardcoded High-Entropy Secrets Detection
CRITICAL
Move secrets to environment variables using dotenv or a secret manager
- const apiKey = 'sk_live_abc123def456ghi789'; + require('dotenv').config(); + const apiKey = process.env.STRIPE_API_KEY;
Kubernetes
Ver todo Kubernetes detalles →
Hardcoded Secrets in Manifest
CRITICAL
Use Kubernetes Secrets with secretKeyRef instead of hardcoding credentials in manifests
apiVersion: v1 kind: Pod spec: containers: - name: app env: - name: DB_PASSWORD - value: "super-secret-password" + valueFrom: + secretKeyRef: + name: db-secret + key: password
Prácticas clave
- loaded from environment variables or secure secret management systems
- stored in environment variables or secure vaults
- stored in environment variables or secure vaults, never committed to version control
3 Detección
3 Detección
Encuentra vulnerabilidades en tu código
Usa Shoulder para escanear tu código en busca de patrones Use of Hard-coded Credentials. 11 reglas.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=798 # Or scan entire project npx @shoulderdev/cli trust .
Reglas de Detección (11)
🟨
Javascript
5 rules
Hardcoded Secret in Environment Variable Fallback
HIGH
Detects hardcoded secrets used as fallback values for environment variables.
Pattern: `process.env.SECRET || 'hardcoded-value'`
This is dangerous because:
- If the environment variable is not set, the hardcoded value is used
- Developers often forget to set env vars in production
- The hardcoded fallback may be committed to version control
- Creates false sense of security ("we use env vars")
This is particularly common with:
- JWT secrets
- API keys
- Database passwords
- Encryption keys
Hardcoded Credentials
HIGH
Detects hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration objects. Credentials should be loaded from environment variables
or secure secret management systems.
This is different from CWE-259 (weak password):
- CWE-798: Any credential hardcoded in source code (security risk)
- CWE-259: Specifically weak/guessable passwords
Even a "strong" password is a security risk if hardcoded because:
- It gets committed to version control
- It's difficult to rotat
Hardcoded High-Entropy Secrets Detection
CRITICAL
Detects hardcoded secrets with high entropy (randomness) that indicate real credentials.
This rule uses entropy analysis to avoid false positives from:
- Example/placeholder values ("keyboard cat", "your-secret-here")
- Test fixtures ("test123", "fake-api-key")
- Short/simple strings ("secret", "password")
Only flags strings that appear to be REAL secrets:
- High entropy (random-looking characters)
- Sufficient length (20+ characters for API keys)
- Known secret patterns (AWS keys, JWT tokens,
Hardcoded Secrets in Security Operations
CRITICAL
Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive
operations. Uses taint analysis to track hardcoded secret strings from their definition
to actual usage in authentication, API calls, or cryptographic operations.
This approach reduces false positives by only flagging secrets that are actually used,
not just defined in comments, examples, or unused variables.
Security Issues in Test Files
LOW
Detects security anti-patterns in test files that could leak into production.
While test files don't run in production, they can still pose security risks:
1. **Hard-coded credentials** - Test credentials committed to repos
2. **Real API keys** - Production keys used in tests
3. **Exposed secrets** - Secrets in test fixtures or mocks
4. **Insecure test patterns** - Patterns that might be copy-pasted to production
This rule helps maintain test hygiene and prevents credential leaks.
🔷
Typescript
5 rules
Hardcoded Secret in Environment Variable Fallback
HIGH
Detects hardcoded secrets used as fallback values for environment variables.
Pattern: `process.env.SECRET || 'hardcoded-value'`
This is dangerous because:
- If the environment variable is not set, the hardcoded value is used
- Developers often forget to set env vars in production
- The hardcoded fallback may be committed to version control
- Creates false sense of security ("we use env vars")
This is particularly common with:
- JWT secrets
- API keys
- Database passwords
- Encryption keys
Hardcoded Credentials
HIGH
Detects hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration objects. Credentials should be loaded from environment variables
or secure secret management systems.
This is different from CWE-259 (weak password):
- CWE-798: Any credential hardcoded in source code (security risk)
- CWE-259: Specifically weak/guessable passwords
Even a "strong" password is a security risk if hardcoded because:
- It gets committed to version control
- It's difficult to rotat
Hardcoded High-Entropy Secrets Detection
CRITICAL
Detects hardcoded secrets with high entropy (randomness) that indicate real credentials.
This rule uses entropy analysis to avoid false positives from:
- Example/placeholder values ("keyboard cat", "your-secret-here")
- Test fixtures ("test123", "fake-api-key")
- Short/simple strings ("secret", "password")
Only flags strings that appear to be REAL secrets:
- High entropy (random-looking characters)
- Sufficient length (20+ characters for API keys)
- Known secret patterns (AWS keys, JWT tokens,
Hardcoded Secrets in Security Operations
CRITICAL
Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive
operations. Uses taint analysis to track hardcoded secret strings from their definition
to actual usage in authentication, API calls, or cryptographic operations.
This approach reduces false positives by only flagging secrets that are actually used,
not just defined in comments, examples, or unused variables.
Security Issues in Test Files
LOW
Detects security anti-patterns in test files that could leak into production.
While test files don't run in production, they can still pose security risks:
1. **Hard-coded credentials** - Test credentials committed to repos
2. **Real API keys** - Production keys used in tests
3. **Exposed secrets** - Secrets in test fixtures or mocks
4. **Insecure test patterns** - Patterns that might be copy-pasted to production
This rule helps maintain test hygiene and prevents credential leaks.
🐍
Python
3 rules
Django Insecure SECRET_KEY
CRITICAL
Detects Django SECRET_KEY that is hardcoded, weak, or uses default values.
The SECRET_KEY is used for cryptographic signing and must be kept secret
and changed in production.
Hardcoded Credentials
HIGH
Detects hardcoded passwords, API keys, tokens, and other credentials in source
code. Credentials should be stored in environment variables or secure vaults.
Hardcoded Secrets / Credentials
HIGH
Detects hardcoded secrets, passwords, API keys, and cryptographic keys in
source code. Secrets should be stored in environment variables or secure
vaults, never committed to version control.
🐳
Dockerfile
1 rules
🐹
Go
1 rules
4 Señales de Alerta
4 Señales de Alerta
Qué buscar en las revisiones de código
Estos patrones indican vulnerabilidades potenciales de Use of Hard-coded Credentials. Búscalos durante las revisiones de código y auditorías de seguridad.
Hardcoded secret used as fallback for environment variable.
Code: ...
If the environment variable is not set, this har
javascript-env-fallback-secrets
hardcoded secrets used as fallback values for environment variables
javascript-env-fallback-secrets
Hardcoded credential detected in ...
Credentials should never be stored in source code.
javascript-hardcoded-credentials
hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration object
javascript-hardcoded-credentials
hardcoded passwords, API keys, tokens, and other credentials in source
code
python-hardcoded-credentials
Test file contains hard-coded credentials at line ...
javascript-test-security-issues
security anti-patterns in test files that could leak into production
javascript-test-security-issues
Django SECRET_KEY that is hardcoded, weak, or uses default values
django-insecure-secret-key
Escanea tu base de código para Use of Hard-coded Credentials
Shoulder CLI encuentra patrones vulnerables en toda tu base de código.