Scala Hardcoded Key In Secretkeyspec
Description
This detector identifies hardcoded cryptographic keys passed to SecretKeySpec constructors in Scala code. Using hardcoded keys in cryptographic operations creates a severe security vulnerability as the keys are embedded in source code and can be easily extracted by attackers, compromising all encrypted data.
Detection Strategy
• Checks if javax.crypto.spec.SecretKeySpec library is imported in the code
• Locates all constructor calls to SecretKeySpec class
• Examines the first argument passed to each SecretKeySpec constructor
• Reports a vulnerability when the first argument contains a hardcoded value (string literal, byte array literal, or other constant) rather than a dynamically generated or retrieved key
Vulnerable code example
import javax.crypto.Cipher
import javax.crypto.spec.SecretKeySpec
object CryptoUtil {
def encrypt(data: Array[Byte]): Array[Byte] = {
// VULNERABLE: hardcoded key material directly in SecretKeySpec constructor
val key = new SecretKeySpec("mySecretKey123".getBytes(), "AES")
val cipher = Cipher.getInstance("AES")...✅ Secure code example
import java.util.Base64
import javax.crypto.Cipher
import javax.crypto.spec.SecretKeySpec
object CryptoUtil {
def encrypt(data: Array[Byte]): Array[Byte] = {
// SAFE: key loaded from environment variable instead of hardcoded
val keyBytes = Base64.getDecoder.decode(System.getenv("ENCRYPTION_KEY"))...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.