Go Hardcoded Cryptographic Key
Description
This detector identifies hardcoded cryptographic keys in Go applications. It finds instances where cryptographic functions receive static, literal key values instead of dynamically generated or securely stored keys, which creates a significant security vulnerability since these keys can be extracted from the source code.
Detection Strategy
• The detector first checks if any target cryptographic libraries are imported in the Go source file
• It then examines function calls to identify calls to cryptographic sink functions (likely key-related crypto operations)
• For each matching function call, it analyzes the function arguments to detect if hardcoded key values are being passed
• A vulnerability is reported when a cryptographic function call contains literal string or byte values as key parameters instead of variables or dynamically generated keys
Vulnerable code example
package main
import (
"crypto/aes"
"crypto/hmac"
"crypto/sha256"
)
...✅ Secure code example
package main
import (
"crypto/aes"
"crypto/cipher"
"crypto/hmac"
"crypto/sha256"
"errors"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.