logo

Database

Yaml Hardcoded Weak Credentials

Description

This vulnerability detector identifies hardcoded weak credentials in YAML configuration files, specifically targeting Helm charts and Docker Compose files. It searches for configuration entries that contain easily guessable, default, or commonly used passwords, usernames, or authentication tokens that pose a significant security risk if deployed to production environments.

Weakness:

009 - Sensitive information in source code

Category: Information Collection

Detection Strategy

    Scans YAML files that are identified as Helm charts or Docker Compose configurations

    Searches for credential-related configuration keys such as passwords, usernames, tokens, API keys, or authentication parameters

    Flags credentials that match patterns of weak or default values like 'password', 'admin', '123456', 'root', empty strings, or other commonly used weak credentials

    Reports vulnerabilities when weak credential values are found hardcoded in the YAML configuration rather than being externalized through environment variables or secure secret management

Vulnerable code example

postgresql:
  auth:
    username: testuser
    password: testpass  # Hardcoded password in config file
    postgresPassword: testpass  # Hardcoded postgres password
    database: testdb
    secretKeys:
      adminPasswordKey: password...

✅ Secure code example

postgresql:
  auth:
    username: testuser
    existingSecret: my-postgres-secret  # Use external secret instead of hardcoded password
    secretKeys:
      adminPasswordKey: postgres-password
      userPasswordKey: custom-user-password
    database: testdb...