Description

Identifies hardcoded cryptographic material (like encryption keys, passwords, or certificates) in TypeScript code. When developers embed sensitive cryptographic material directly in source code, it creates significant security risks as these secrets can be exposed through version control or code access.

Detection Strategy

• Check string literals and variable declarations in TypeScript files for patterns that match cryptographic material (like base64-encoded keys, certificates, or password strings)

• Look for assignments or declarations where sensitive data like private keys, certificates, or passwords are directly written in the code rather than loaded from secure configuration

• Examine string content and context to determine if it contains cryptographic material like RSA keys, certificates, or other key material

• Flag instances where cryptographic secrets are hardcoded rather than being provided through secure configuration management

Vulnerable code example

import { enc } from "crypto-js";

// WARNING: Using encodings as security mechanisms is unsafe
const sensitiveData = "password123";
const base64Data = enc.Base64.parse(sensitiveData);  // Unsafe: Base64 is encoding, not encryption
const utf16Data = enc.Utf16.parse(sensitiveData);    // Unsafe: UTF16 is encoding, not encryption
const hexData = enc.Hex.parse(sensitiveData);        // Unsafe: Hex is encoding, not encryption

✅ Secure code example

import { AES, enc } from "crypto-js";

// Generate a strong encryption key (in practice, use secure key management)
const encryptionKey = "USE_SECURE_KEY_MANAGEMENT";  // Store securely, never hardcode

// Encrypt sensitive data properly instead of just encoding
const sensitiveData = "password123";
const encryptedData = AES.encrypt(sensitiveData, encryptionKey);  // Proper encryption, not just encoding...