Javascript Hardcoded Test Credentials
Description
Detects hardcoded credentials (like passwords, API keys, tokens) within JavaScript test files. This is a security concern because test credentials could accidentally be deployed to production or expose sensitive information if test files are publicly accessible.
Detection Strategy
• Analyzes JavaScript files that are identified as test files (e.g., files containing 'test', 'spec', or similar test-related keywords)
• Searches for string literals and variable assignments that appear to contain credentials (passwords, tokens, keys, etc.)
• Checks if these credential values are hardcoded directly in the test code rather than being loaded from environment variables or configuration files
• Excludes common test placeholder values like 'test123', 'password', or empty strings to reduce false positives
Vulnerable code example
const frisby = require('frisby');
// ❌ Security risk: Hardcoded credentials in source code
frisby.post('http://localhost:3000/rest/user/login', {
headers: { 'content-type': 'application/json' },
body: {
email: 'admin@system.com', // Hardcoded sensitive credential
password: 'secretPassword123' // Hardcoded sensitive credential...✅ Secure code example
const frisby = require('frisby');
// Load credentials from environment variables
const TEST_EMAIL = process.env.TEST_EMAIL; // Store credentials in environment variables
const TEST_PASSWORD = process.env.TEST_PASSWORD; // Never hardcode sensitive data
frisby.post('http://localhost:3000/rest/user/login', {
headers: { 'content-type': 'application/json' },...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.