# Hardcoded Secrets in Security Operations

- ID: javascript-hardcoded-secrets-experimental
- Severity: CRITICAL
- CWE: Hardcoded Credentials (CWE-798)
- Languages: JavaScript, TypeScript
- Frameworks: nodejs, express, fastify, koa, hapi, nestjs

## Description

Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive
operations. Uses taint analysis to track hardcoded secret strings from their definition
to actual usage in authentication, API calls, or cryptographic operations.

This approach reduces false positives by only flagging secrets that are actually used,
not just defined in comments, examples, or unused variables.

## Detection Message

Hardcoded {source_description} flows directly to security-sensitive operation at {sink}.
This creates security risks:
- Exposure in version control
- Difficult credential rotation
- Accidental disclosure in logs/errors
- No separation between dev/prod environments

## Remediation

Load secrets from environment variables instead of hardcoding:

```javascript
require('dotenv').config();

const stripe = require('stripe')(process.env.STRIPE_API_KEY);

if (!process.env.STRIPE_API_KEY) {
  throw new Error('STRIPE_API_KEY environment variable required');
}
```

Learn more: https://shoulder.dev/learn/javascript/cwe-798/hardcoded-secrets

## Documentation

[object Object]

## Related Rules

- **Django Insecure SECRET_KEY** [CRITICAL]: 
- **Docker Secrets and Security Best Practices** [CRITICAL]: 
- **Hardcoded Secrets in Source Code** [CRITICAL]: 
- **Hardcoded Secret in Environment Variable Fallback** [HIGH]: 
- **Hardcoded Credentials** [HIGH]: