Go Hardcoded Redis Password
Description
This detector identifies hardcoded Redis passwords in Go applications using the redis/go-redis library. It finds credentials that are directly embedded in source code rather than retrieved from secure configuration sources, which creates security risks if the code is exposed or stored in version control systems.
Detection Strategy
• The Go application must import the redis/go-redis library (github.com/redis/go-redis package)
• Detection triggers when redis.ParseURL() is called with a connection string containing embedded credentials in sprintf format
• Detection also triggers when Redis client constructors or connection methods are called with hardcoded password parameters
• The detector specifically looks for password values that appear to be literal strings rather than variables loaded from configuration
Vulnerable code example
package main
import (
"github.com/redis/go-redis/v9"
)
func main() {
// Hardcoded password in Redis client - security risk...✅ Secure code example
package main
import (
"os"
"github.com/redis/go-redis/v9"
)
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.