# Use of Hard-coded Credentials (CWE-798)

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

**Stack:** Kubernetes

- Prevalence: 높음 자주 악용됨
- Impact: 치명적 6개의 치명적 심각도 규칙
- Prevention: 문서화됨 11개의 수정 예시

**OWASP:** Identification and Authentication Failures (A07:2021-Identification and Authentication Failures) - #7

## Description

Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Hardcoded Credentials 예방 전략.

### Kubernetes

Use Kubernetes Secrets with secretKeyRef instead of hardcoding credentials in manifests

## Warning Signs

- [CRITICAL] Secrets, passwords, or API keys are hardcoded in the Kubernetes manifest.
- [CRITICAL] hardcoded secrets, passwords, or API keys in Kubernetes manifests

## Consequences

- 권한 획득
- 보호 메커니즘 우회

## Mitigations

- 자격 증명은 소스 코드 외부에 저장하세요
- 환경 변수나 안전한 자격 증명 저장소를 사용하세요
- 적절한 키 관리 절차를 구현하세요

## Detection

- Total rules: 11
- Critical: 6
- Languages: python, dockerfile, go, javascript, typescript, yaml

## Rules by Language

### Yaml (1 rules)

- **Hardcoded Secrets in Manifest** [CRITICAL]: Detects hardcoded secrets, passwords, or API keys in Kubernetes manifests.
  - Remediation: Use Kubernetes Secrets with valueFrom.

```yaml
env:
  - name: DB_PASSWORD
    valueFrom:
      secretKeyRef:
        name: db-secret
        key: password
```

Learn more: https://shoulder.dev/learn/kubernetes/cwe-798/hardcoded-secrets