Use of Hard-coded Credentials (CWE-798)

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

Hard-coded credentials typically create a significant hole that allows an attacker to bypass the authentication that has been configured by the product administrator. This hole might be difficult for the system administrator to detect.

普遍性

高

频繁被利用

影响

关键

6 条严重级别为关键的规则

预防

已记录

11 个修复示例

2 预防

如何修复此漏洞

基于 11 条 Shoulder 检测规则的 Hardcoded Credentials 预防策略。

🐍 Python 查看全部 Python 详情 →

Django Insecure SECRET_KEY CRITICAL

Load SECRET_KEY from environment variables, never commit it to source control

+3 -1 python

  # settings.py
- SECRET_KEY = 'django-insecure-abc123def456'
+ import os
+ 
+ SECRET_KEY = os.environ['DJANGO_SECRET_KEY']

Hardcoded Credentials HIGH

Store all credentials in environment variables or a secrets manager, never in code

+5 -3 python

- password = "super_secret_password"
- api_key = "sk-abc123456789xyz"
- db_password = "db_p@ssw0rd_2024"
+ import os
+ 
+ password = os.environ['APP_PASSWORD']
+ api_key = os.environ['API_KEY']
+ db_password = os.environ['DB_PASSWORD']

Hardcoded Secrets / Credentials HIGH

Load all secrets from environment variables or a secrets manager

+5 -3 python

- SECRET_KEY = 'django-insecure-abc123def456'
- API_KEY = 'sk-proj-abc123456789'
- DATABASE_PASSWORD = 'super_secret_123'
+ import os
+ 
+ SECRET_KEY = os.environ['SECRET_KEY']
+ API_KEY = os.environ['API_KEY']
+ DATABASE_PASSWORD = os.environ['DB_PASSWORD']

🐳 Docker 查看全部 Docker 详情 →

Docker Secrets and Security Best Practices CRITICAL

Use BuildKit secrets or runtime environment variables instead of hardcoded credentials

+5 -4 dockerfile

- FROM node:24-alpine
- ENV DATABASE_PASSWORD=supersecret123
- ARG API_KEY=sk_live_abc123
- WORKDIR /app
+ # syntax=docker/dockerfile:1
+ FROM node:24-alpine
+ WORKDIR /app
+ RUN --mount=type=secret,id=db_pass \
+     cat /run/secrets/db_pass > /dev/null
  COPY . .

🐹 Go 查看全部 Go 详情 →

Hardcoded Secrets in Source Code CRITICAL

Load secrets from environment variables or a secrets manager instead of hardcoding

+9 -7 go

  package main
  
- const (
-     APIKey     = "sk-1234567890abcdefghijklmnop"
-     DBPassword = "superSecretPassword123"
- )
- 
- func connectDB() (*sql.DB, error) {
-     connStr := "postgres://admin:superSecretPassword123@localhost:5432/db"
+ import "os"
+ 
+ func connectDB() (*sql.DB, error) {
+     apiKey := os.Getenv("API_KEY")
+     if apiKey == "" {
+         log.Fatal("API_KEY not set")
+     }
+     dbPass := os.Getenv("DB_PASSWORD")
+     connStr := fmt.Sprintf("postgres://admin:%s@localhost:5432/db", dbPass)
      return sql.Open("postgres", connStr)
  }

🟨 JavaScript 查看全部 JavaScript 详情 →

Hardcoded Secret in Environment Variable Fallback HIGH

Never use hardcoded fallbacks for secrets; fail fast if environment variables are missing

+6 -1 javascript

- const JWT_SECRET = process.env.JWT_SECRET || 'my-insecure-secret-key';
+ function getRequiredEnv(name) {
+   const value = process.env[name];
+   if (!value) throw new Error(`Required env var ${name} is not set`);
+   return value;
+ }
+ const JWT_SECRET = getRequiredEnv('JWT_SECRET');

Hardcoded Credentials HIGH

Load credentials from environment variables instead of hardcoding in source code

+6 -5 javascript

- const connection = mysql.createConnection({
-   host: 'localhost',
-   user: 'root',
-   password: 'admin123',
-   database: 'myapp'
+ require('dotenv').config();
+ const connection = mysql.createConnection({
+   host: process.env.DB_HOST,
+   user: process.env.DB_USER,
+   password: process.env.DB_PASSWORD,
+   database: process.env.DB_NAME
  });

Hardcoded High-Entropy Secrets Detection CRITICAL

Move secrets to environment variables using dotenv or a secret manager

+2 -1 javascript

- const apiKey = 'sk_live_abc123def456ghi789';
+ require('dotenv').config();
+ const apiKey = process.env.STRIPE_API_KEY;

☸️ Kubernetes 查看全部 Kubernetes 详情 →

Hardcoded Secrets in Manifest CRITICAL

Use Kubernetes Secrets with secretKeyRef instead of hardcoding credentials in manifests

+4 -1 yaml

  apiVersion: v1
  kind: Pod
  spec:
    containers:
    - name: app
      env:
        - name: DB_PASSWORD
-         value: "super-secret-password"
+         valueFrom:
+           secretKeyRef:
+             name: db-secret
+             key: password

关键实践

loaded from environment variables or secure secret management systems
stored in environment variables or secure vaults
stored in environment variables or secure vaults, never committed to version control

3 检测

查找代码中的漏洞

使用Shoulder扫描代码中的Use of Hard-coded Credentials模式。 11 规则.

终端

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=798

# Or scan entire project
npx @shoulderdev/cli trust .

检测规则 (11)

🟨 Javascript 5 rules

Hardcoded Secret in Environment Variable Fallback HIGH

Detects hardcoded secrets used as fallback values for environment variables. Pattern: `process.env.SECRET || 'hardcoded-value'` This is dangerous because: - If the environment variable is not set, the hardcoded value is used - Developers often forget to set env vars in production - The hardcoded fallback may be committed to version control - Creates false sense of security ("we use env vars") This is particularly common with: - JWT secrets - API keys - Database passwords - Encryption keys

Hardcoded Credentials HIGH

Detects hardcoded credentials (passwords, API keys, tokens) in database connections and configuration objects. Credentials should be loaded from environment variables or secure secret management systems. This is different from CWE-259 (weak password): - CWE-798: Any credential hardcoded in source code (security risk) - CWE-259: Specifically weak/guessable passwords Even a "strong" password is a security risk if hardcoded because: - It gets committed to version control - It's difficult to rotat

Hardcoded High-Entropy Secrets Detection CRITICAL

Detects hardcoded secrets with high entropy (randomness) that indicate real credentials. This rule uses entropy analysis to avoid false positives from: - Example/placeholder values ("keyboard cat", "your-secret-here") - Test fixtures ("test123", "fake-api-key") - Short/simple strings ("secret", "password") Only flags strings that appear to be REAL secrets: - High entropy (random-looking characters) - Sufficient length (20+ characters for API keys) - Known secret patterns (AWS keys, JWT tokens,

Hardcoded Secrets in Security Operations CRITICAL

Detects hardcoded secrets (API keys, tokens, passwords) flowing into security-sensitive operations. Uses taint analysis to track hardcoded secret strings from their definition to actual usage in authentication, API calls, or cryptographic operations. This approach reduces false positives by only flagging secrets that are actually used, not just defined in comments, examples, or unused variables.

Security Issues in Test Files LOW

Detects security anti-patterns in test files that could leak into production. While test files don't run in production, they can still pose security risks: 1. **Hard-coded credentials** - Test credentials committed to repos 2. **Real API keys** - Production keys used in tests 3. **Exposed secrets** - Secrets in test fixtures or mocks 4. **Insecure test patterns** - Patterns that might be copy-pasted to production This rule helps maintain test hygiene and prevents credential leaks.

🔷 Typescript 5 rules

Hardcoded Secret in Environment Variable Fallback HIGH

Hardcoded Credentials HIGH

Hardcoded High-Entropy Secrets Detection CRITICAL

Hardcoded Secrets in Security Operations CRITICAL

Security Issues in Test Files LOW

🐍 Python 3 rules

Django Insecure SECRET_KEY CRITICAL

Detects Django SECRET_KEY that is hardcoded, weak, or uses default values. The SECRET_KEY is used for cryptographic signing and must be kept secret and changed in production.

Hardcoded Credentials HIGH

Detects hardcoded passwords, API keys, tokens, and other credentials in source code. Credentials should be stored in environment variables or secure vaults.

Hardcoded Secrets / Credentials HIGH

Detects hardcoded secrets, passwords, API keys, and cryptographic keys in source code. Secrets should be stored in environment variables or secure vaults, never committed to version control.

🐳 Dockerfile 1 rules

Docker Secrets and Security Best Practices CRITICAL

Detects hardcoded secrets in ENV/ARG and piping curl/wget to shell.

🐹 Go 1 rules

Hardcoded Secrets in Source Code CRITICAL

API keys, passwords, or tokens hardcoded in source code.

📄 Yaml 1 rules

Hardcoded Secrets in Manifest CRITICAL

Detects hardcoded secrets, passwords, or API keys in Kubernetes manifests.

4 警告信号

代码审查中需要关注的内容

这些模式表明潜在的Use of Hard-coded Credentials漏洞。在代码审查和安全审计中注意查找。

🟠

Hardcoded secret used as fallback for environment variable. Code: ... If the environment variable is not set, this har javascript-env-fallback-secrets

🟠

hardcoded secrets used as fallback values for environment variables javascript-env-fallback-secrets

🟠

Hardcoded credential detected in ... Credentials should never be stored in source code. javascript-hardcoded-credentials

🟠

hardcoded credentials (passwords, API keys, tokens) in database connections and configuration object javascript-hardcoded-credentials

🟠

hardcoded passwords, API keys, tokens, and other credentials in source code python-hardcoded-credentials

🔵

Test file contains hard-coded credentials at line ... javascript-test-security-issues

🔵

security anti-patterns in test files that could leak into production javascript-test-security-issues

🔴

Django SECRET_KEY that is hardcoded, weak, or uses default values django-insecure-secret-key

🔍

扫描你的代码库: Use of Hard-coded Credentials

Shoulder CLI 在整个代码库中找到易受攻击的模式。

npx shoulder trust 浏览所有规则