# Use of Hard-coded Credentials (CWE-798)

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

**Stack:** Go

- Prevalence: Alta Frecuentemente explotada
- Impact: Crítico 6 reglas de severidad crítica
- Prevention: Documentada 11 ejemplos de corrección

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect.

## Prevention

Estrategias de prevención para Hardcoded Credentials basadas en 1 reglas de detección de Shoulder.

### Go

Load secrets from environment variables or a secrets manager instead of hardcoding

## Consequences

- Obtener privilegios
- Eludir mecanismo de protección

## Mitigations

- Almacena las credenciales fuera del código fuente
- Usa variables de entorno o almacenes seguros de credenciales
- Implementa procedimientos adecuados de gestión de claves

## Detection

- Total rules: 11
- Critical: 6
- Languages: python, dockerfile, go, javascript, typescript, yaml

## Rules by Language

### Go (1 rules)

- **Hardcoded Secrets in Source Code** [CRITICAL]: API keys, passwords, or tokens hardcoded in source code.
  - Remediation: Load secrets from environment variables instead of hardcoding them.

```go
import "os"

apiKey := os.Getenv("API_KEY")
if apiKey == "" {
    log.Fatal("API_KEY not set")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-798/hardcoded-secrets