# Hardcoded High-Entropy Secrets Detection

- ID: javascript-hardcoded-secrets
- Severity: CRITICAL
- CWE: Hardcoded Credentials (CWE-798)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects hardcoded secrets with high entropy (randomness) that indicate real credentials.

This rule uses entropy analysis to avoid false positives from:
- Example/placeholder values ("keyboard cat", "your-secret-here")
- Test fixtures ("test123", "fake-api-key")
- Short/simple strings ("secret", "password")

Only flags strings that appear to be REAL secrets:
- High entropy (random-looking characters)
- Sufficient length (20+ characters for API keys)
- Known secret patterns (AWS keys, JWT tokens, private keys)

Hardcoded real secrets pose security risks:
- Exposure in version control
- Difficult credential rotation
- Accidental disclosure in logs/errors
- No dev/prod separation

## Detection Message

Hardcoded {secret_type} with high entropy detected: {pattern}

## Remediation

Move this secret to environment variables or a secret management service.

## Documentation

[object Object]

## Related Rules

- **Django Insecure SECRET_KEY** [CRITICAL]: 
- **Docker Secrets and Security Best Practices** [CRITICAL]: 
- **Hardcoded Secrets in Source Code** [CRITICAL]: 
- **Hardcoded Secret in Environment Variable Fallback** [HIGH]: 
- **Hardcoded Credentials** [HIGH]: