Elixir Config Hardcoded Credentials
Description
This detector identifies hardcoded credentials in Elixir configuration files. It specifically looks for `config` expressions that contain unsafe credential definitions, which poses a security risk as sensitive information like passwords, API keys, or tokens may be exposed in source code or version control systems.
Detection Strategy
• The application must import or use the Config library
• A `config` expression must be present in the code
• At least one argument to the config expression must contain hardcoded credentials that are determined to be unsafe through static analysis
Vulnerable code example
import Config
config :demo, Demo.Repo,
adapter: Ecto.Adapters.Postgres,
username: "postgres", # Vulnerable: hardcoded database username
password: "SuperSecret123!", # Vulnerable: hardcoded database password
database: "production",
hostname: "db.internal"✅ Secure code example
import Config
config :demo, Demo.Repo,
adapter: Ecto.Adapters.Postgres,
username: System.fetch_env!("DB_USER"), # Safe: credential comes from environment
password: System.fetch_env!("DB_PASSWORD"), # Safe: credential comes from environment
database: "production",
hostname: "db.internal"Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.