Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect.
보급률
높음
자주 악용됨
영향
치명적
6개의 치명적 심각도 규칙
예방
문서화됨
11개의 수정 예시
2 예방
2 예방
이 취약점을 수정하는 방법
11개의 Shoulder 탐지 규칙을 기반으로 한 Hardcoded Credentials 예방 전략.
Python
모두 보기 Python 자세히 →
Django Insecure SECRET_KEY
CRITICAL
Load SECRET_KEY from environment variables, never commit it to source control
# settings.py - SECRET_KEY = 'django-insecure-abc123def456' + import os + + SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
Hardcoded Credentials
HIGH
Store all credentials in environment variables or a secrets manager, never in code
- password = "super_secret_password" - api_key = "sk-abc123456789xyz" - db_password = "db_p@ssw0rd_2024" + import os + + password = os.environ['APP_PASSWORD'] + api_key = os.environ['API_KEY'] + db_password = os.environ['DB_PASSWORD']
Hardcoded Secrets / Credentials
HIGH
Load all secrets from environment variables or a secrets manager
- SECRET_KEY = 'django-insecure-abc123def456' - API_KEY = 'sk-proj-abc123456789' - DATABASE_PASSWORD = 'super_secret_123' + import os + + SECRET_KEY = os.environ['SECRET_KEY'] + API_KEY = os.environ['API_KEY'] + DATABASE_PASSWORD = os.environ['DB_PASSWORD']
Docker
모두 보기 Docker 자세히 →
Docker Secrets and Security Best Practices
CRITICAL
Use BuildKit secrets or runtime environment variables instead of hardcoded credentials
- FROM node:24-alpine - ENV DATABASE_PASSWORD=supersecret123 - ARG API_KEY=sk_live_abc123 - WORKDIR /app + # syntax=docker/dockerfile:1 + FROM node:24-alpine + WORKDIR /app + RUN --mount=type=secret,id=db_pass \ + cat /run/secrets/db_pass > /dev/null COPY . .
Hardcoded Secrets in Source Code
CRITICAL
Load secrets from environment variables or a secrets manager instead of hardcoding
package main - const ( - APIKey = "sk-1234567890abcdefghijklmnop" - DBPassword = "superSecretPassword123" - ) - - func connectDB() (*sql.DB, error) { - connStr := "postgres://admin:superSecretPassword123@localhost:5432/db" + import "os" + + func connectDB() (*sql.DB, error) { + apiKey := os.Getenv("API_KEY") + if apiKey == "" { + log.Fatal("API_KEY not set") + } + dbPass := os.Getenv("DB_PASSWORD") + connStr := fmt.Sprintf("postgres://admin:%s@localhost:5432/db", dbPass) return sql.Open("postgres", connStr) }
JavaScript
모두 보기 JavaScript 자세히 →
Hardcoded Secret in Environment Variable Fallback
HIGH
Never use hardcoded fallbacks for secrets; fail fast if environment variables are missing
- const JWT_SECRET = process.env.JWT_SECRET || 'my-insecure-secret-key'; + function getRequiredEnv(name) { + const value = process.env[name]; + if (!value) throw new Error(`Required env var ${name} is not set`); + return value; + } + const JWT_SECRET = getRequiredEnv('JWT_SECRET');
Hardcoded Credentials
HIGH
Load credentials from environment variables instead of hardcoding in source code
- const connection = mysql.createConnection({ - host: 'localhost', - user: 'root', - password: 'admin123', - database: 'myapp' + require('dotenv').config(); + const connection = mysql.createConnection({ + host: process.env.DB_HOST, + user: process.env.DB_USER, + password: process.env.DB_PASSWORD, + database: process.env.DB_NAME });
Hardcoded High-Entropy Secrets Detection
CRITICAL
Move secrets to environment variables using dotenv or a secret manager
- const apiKey = 'sk_live_abc123def456ghi789'; + require('dotenv').config(); + const apiKey = process.env.STRIPE_API_KEY;
Kubernetes
모두 보기 Kubernetes 자세히 →
Hardcoded Secrets in Manifest
CRITICAL
Use Kubernetes Secrets with secretKeyRef instead of hardcoding credentials in manifests
apiVersion: v1 kind: Pod spec: containers: - name: app env: - name: DB_PASSWORD - value: "super-secret-password" + valueFrom: + secretKeyRef: + name: db-secret + key: password
핵심 실천 사항
- loaded from environment variables or secure secret management systems
- stored in environment variables or secure vaults
- stored in environment variables or secure vaults, never committed to version control
3 탐지
3 탐지
코드에서 취약점 찾기
Shoulder를 사용하여 코드에서 Use of Hard-coded Credentials 패턴을 스캔하세요. 11 규칙.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=798 # Or scan entire project npx @shoulderdev/cli trust .
탐지 규칙 (11)
🟨
Javascript
5 rules
Hardcoded Secret in Environment Variable Fallback
HIGH
Detects hardcoded secrets used as fallback values for environment variables.
Pattern: `process.env.SECRET || 'hardcoded-value'`
This is dangerous because:
- If the environment variable is not set, the hardcoded value is used
- Developers often forget to set env vars in production
- The hardcoded fallback may be committed to version control
- Creates false sense of security ("we use env vars")
This is particularly common with:
- JWT secrets
- API keys
- Database passwords
- Encryption keys
Hardcoded Credentials
HIGH
Detects hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration objects. Credentials should be loaded from environment variables
or secure secret management systems.
This is different from CWE-259 (weak password):
- CWE-798: Any credential hardcoded in source code (security risk)
- CWE-259: Specifically weak/guessable passwords
Even a "strong" password is a security risk if hardcoded because:
- It gets committed to version control
- It's difficult to rotat
Hardcoded High-Entropy Secrets Detection
CRITICAL
Detects hardcoded secrets with high entropy (randomness) that indicate real credentials.
This rule uses entropy analysis to avoid false positives from:
- Example/placeholder values ("keyboard cat", "your-secret-here")
- Test fixtures ("test123", "fake-api-key")
- Short/simple strings ("secret", "password")
Only flags strings that appear to be REAL secrets:
- High entropy (random-looking characters)
- Sufficient length (20+ characters for API keys)
- Known secret patterns (AWS keys, JWT tokens,
Hardcoded Secrets in Security Operations
CRITICAL
Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive
operations. Uses taint analysis to track hardcoded secret strings from their definition
to actual usage in authentication, API calls, or cryptographic operations.
This approach reduces false positives by only flagging secrets that are actually used,
not just defined in comments, examples, or unused variables.
Security Issues in Test Files
LOW
Detects security anti-patterns in test files that could leak into production.
While test files don't run in production, they can still pose security risks:
1. **Hard-coded credentials** - Test credentials committed to repos
2. **Real API keys** - Production keys used in tests
3. **Exposed secrets** - Secrets in test fixtures or mocks
4. **Insecure test patterns** - Patterns that might be copy-pasted to production
This rule helps maintain test hygiene and prevents credential leaks.
🔷
Typescript
5 rules
Hardcoded Secret in Environment Variable Fallback
HIGH
Detects hardcoded secrets used as fallback values for environment variables.
Pattern: `process.env.SECRET || 'hardcoded-value'`
This is dangerous because:
- If the environment variable is not set, the hardcoded value is used
- Developers often forget to set env vars in production
- The hardcoded fallback may be committed to version control
- Creates false sense of security ("we use env vars")
This is particularly common with:
- JWT secrets
- API keys
- Database passwords
- Encryption keys
Hardcoded Credentials
HIGH
Detects hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration objects. Credentials should be loaded from environment variables
or secure secret management systems.
This is different from CWE-259 (weak password):
- CWE-798: Any credential hardcoded in source code (security risk)
- CWE-259: Specifically weak/guessable passwords
Even a "strong" password is a security risk if hardcoded because:
- It gets committed to version control
- It's difficult to rotat
Hardcoded High-Entropy Secrets Detection
CRITICAL
Detects hardcoded secrets with high entropy (randomness) that indicate real credentials.
This rule uses entropy analysis to avoid false positives from:
- Example/placeholder values ("keyboard cat", "your-secret-here")
- Test fixtures ("test123", "fake-api-key")
- Short/simple strings ("secret", "password")
Only flags strings that appear to be REAL secrets:
- High entropy (random-looking characters)
- Sufficient length (20+ characters for API keys)
- Known secret patterns (AWS keys, JWT tokens,
Hardcoded Secrets in Security Operations
CRITICAL
Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive
operations. Uses taint analysis to track hardcoded secret strings from their definition
to actual usage in authentication, API calls, or cryptographic operations.
This approach reduces false positives by only flagging secrets that are actually used,
not just defined in comments, examples, or unused variables.
Security Issues in Test Files
LOW
Detects security anti-patterns in test files that could leak into production.
While test files don't run in production, they can still pose security risks:
1. **Hard-coded credentials** - Test credentials committed to repos
2. **Real API keys** - Production keys used in tests
3. **Exposed secrets** - Secrets in test fixtures or mocks
4. **Insecure test patterns** - Patterns that might be copy-pasted to production
This rule helps maintain test hygiene and prevents credential leaks.
🐍
Python
3 rules
Django Insecure SECRET_KEY
CRITICAL
Detects Django SECRET_KEY that is hardcoded, weak, or uses default values.
The SECRET_KEY is used for cryptographic signing and must be kept secret
and changed in production.
Hardcoded Credentials
HIGH
Detects hardcoded passwords, API keys, tokens, and other credentials in source
code. Credentials should be stored in environment variables or secure vaults.
Hardcoded Secrets / Credentials
HIGH
Detects hardcoded secrets, passwords, API keys, and cryptographic keys in
source code. Secrets should be stored in environment variables or secure
vaults, never committed to version control.
🐳
Dockerfile
1 rules
🐹
Go
1 rules
4 경고 신호
4 경고 신호
코드 리뷰에서 주의할 점
이 패턴은 잠재적인 Use of Hard-coded Credentials 취약점을 나타냅니다. 코드 리뷰와 보안 감사 중에 찾아보세요.
Hardcoded secret used as fallback for environment variable.
Code: ...
If the environment variable is not set, this har
javascript-env-fallback-secrets
hardcoded secrets used as fallback values for environment variables
javascript-env-fallback-secrets
Hardcoded credential detected in ...
Credentials should never be stored in source code.
javascript-hardcoded-credentials
hardcoded credentials (passwords, API keys, tokens) in database connections
and configuration object
javascript-hardcoded-credentials
hardcoded passwords, API keys, tokens, and other credentials in source
code
python-hardcoded-credentials
Test file contains hard-coded credentials at line ...
javascript-test-security-issues
security anti-patterns in test files that could leak into production
javascript-test-security-issues
Django SECRET_KEY that is hardcoded, weak, or uses default values
django-insecure-secret-key
코드베이스를 스캔하세요: Use of Hard-coded Credentials
Shoulder CLI는 전체 코드베이스에서 취약한 패턴을 찾아냅니다.