Typescript Hardcoded Aws Credentials Configured
Description
Detects AWS credentials (like access keys, secret keys) that are hardcoded directly in source code files. Exposing cloud credentials in code is a critical security risk that could lead to unauthorized access to AWS resources and potential account compromise.
Detection Strategy
• Analyzes source code files while excluding test files to avoid false positives
• Searches for AWS credential patterns like access key IDs (20 character alphanumeric) and secret access keys (40 character base64)
• Examines string literals and variable assignments in the code for credential-like values
• Reports a vulnerability when credentials are found in regular source files but not in test files
• Validates that the credential format matches AWS key patterns to reduce false positives
Vulnerable code example
const jwt = require('jsonwebtoken');
const secretKey = 'my_secret_key'; // Vulnerable: Hardcoded secret key should not be in source code
jwt.verify(token, secretKey, (err, decoded) => {
if (!err) {
console.log('Token verified:', decoded);
}...✅ Secure code example
const jwt = require('jsonwebtoken');
// Load secret key from environment variable
const secretKey = process.env.JWT_SECRET_KEY;
if (!secretKey) {
throw new Error('JWT secret key must be set in environment variables');
}
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.