Description

Detects hardcoded AWS credentials exposed in JavaScript source code files. This is a critical security vulnerability since exposing cloud credentials in source code could allow attackers to gain unauthorized access to AWS services and resources.

Detection Strategy

• Scans JavaScript source code files, excluding test files

• Searches for AWS credential patterns like access keys, secret keys, or tokens in code

• Reports a vulnerability if credentials are found hardcoded in source files

• Specifically looks for credential patterns in variable assignments, object properties, and string literals

Vulnerable code example

const AWS = require('aws-sdk');

// Insecure: Hardcoded AWS access credentials directly in code
AWS.config.update({
  accessKeyId: 'AKIAIOCMG56TISNLV69H',
  secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'
});

✅ Secure code example

const AWS = require('aws-sdk');

// Safe: Use environment variables or AWS credential providers
AWS.config.update({
  region: process.env.AWS_REGION || 'us-east-1'
  // AWS SDK will automatically load credentials from:
  // 1. Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
  // 2. Shared credentials file (~/.aws/credentials)...