Fluid Attacks Database

Description

Detects hardcoded repository credentials in Gradle KTS build files, which could expose sensitive authentication information in version control. Storing plaintext credentials in build files is a security risk that could lead to unauthorized access to private artifact repositories.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

• Identifies 'credentials' blocks within Maven repository declarations in build.gradle.kts files

• Checks if the credentials block contains hardcoded username/password assignments

• Verifies the credentials are within a 'maven' block that is inside a 'repositories' configuration block

• Reports a vulnerability when credentials are directly assigned values rather than using secure credential management

Vulnerable code example

repositories {
    maven {
        name = "MyRepo"
        url = "https://artifacts.company.com"
        password = "secretpass123"  // Vulnerable: Hardcoded credential directly in source code
    }
}

✅ Secure code example

repositories {
    maven {
        name = "MyRepo"
        url = "https://artifacts.company.com"
        credentials {
            // Securely load credentials from gradle.properties or environment variables
            username = providers.gradleProperty("myrepo.username").orNull ?: System.getenv("MYREPO_USERNAME")
            password = providers.gradleProperty("myrepo.password").orNull ?: System.getenv("MYREPO_PASSWORD")...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.