logo

Database

Elixir Config Hardcoded Credentials

Description

This detector identifies hardcoded credentials in Elixir configuration files. It specifically looks for `config` expressions that contain unsafe credential definitions, which poses a security risk as sensitive information like passwords, API keys, or tokens may be exposed in source code or version control systems.

Weakness:

359 - Sensitive information in source code - Credentials

Category: Information Collection

Detection Strategy

    The application must import or use the Config library

    A `config` expression must be present in the code

    At least one argument to the config expression must contain hardcoded credentials that are determined to be unsafe through static analysis

Vulnerable code example

import Config

config :demo, Demo.Repo,
  adapter: Ecto.Adapters.Postgres,
  username: "postgres",              # Vulnerable: hardcoded database username
  password: "SuperSecret123!",       # Vulnerable: hardcoded database password
  database: "production",
  hostname: "db.internal"

✅ Secure code example

import Config

config :demo, Demo.Repo,
  adapter: Ecto.Adapters.Postgres,
  username: System.fetch_env!("DB_USER"),      # Safe: credential comes from environment
  password: System.fetch_env!("DB_PASSWORD"), # Safe: credential comes from environment
  database: "production",
  hostname: "db.internal"