Sensitive information in source code
Description
The source code repository contains sensitive information such as usernames, passwords, email addresses and IP addresses, among others. Alternatively, while values may be password=123 o aws.secret_key=test, they reveal the bad practice of storing sensitive information in the repository with no encryption, and sooner or later they can be replaced for real sensitive values.
Impact
Get sensitive information or private secrets.
Recommendation
- Delete all hardcoded sensitive information. - Change all affected access credentials. - Remove sensitive information from git logs. - Load sensitive data from safe sources such as, key vault services, configuration files properly encrypted or administrative environment variables.
Threat
Anonymous attacker with access to the source-code from the Internet.
Expected Remediation Time
⏱️ 30 minutes.
Details
Why
When secret credentials are compromised, we always generate a vulnerability report either the credentials are mocks, or are functional only in specific scenarios such as local environments. The risk of this scenario is usually considered in the severity tab. For local environment credentials the risk is low but not zero.
Hence to solve this vulnerability we recommend to remove the credentials from the source code, change the compromised credentials and ideally remove the credentials from the git log. In some cases the last recommendation cannot be applied to avoid traceability issues. If that's the case, in addition to removing the credentials from the code, we require a customer confirmation that the credentials were changed to close the vulnerability.
Requirements
145 - Protect system cryptographic keys156 - Source code without sensitive information266 - Disable insecure functionalitiesRules
Yaml Env Sensitive Value ExposedTypescript Kony Hardcoded Encryption KeyJava Use Of Hardcoded PasswordJson Yaml Hardcoded Aws CredentialsProperties Exposed Credentials And TokensJavascript Hardcoded Key Material UsedJson Connection String With Password ExposedJavascript Hardcoded Aws Credentials ConfiguredTypescript Hardcoded Aws Credentials ConfiguredSwift Hardcoded Jwt Token UsedConfig Files Exposed Aws CredentialsSwift Hardcoded Cryptographic KeyPhp Hardcoded Cryptographic KeyJson Exposed Api Key In ValueJava Csrf Handler Hardcoded SecretGo Hardcoded Aws Secret Access KeyConfig Files Hardcoded Secrets In ConfigsConfig Files Hardcoded Credentials In ConfigConfig Files Connection String With Password ExposedKotlin Hardcoded Jwt Token UsedDocker Wget Password HardcodedTypescript Hardcoded Key Material UsedDocker Env Sensitive Value ExposedJava Hardcoded Aws Or Jwt TokenPython Hardcoded Auth Header ValueJavascript Kony Hardcoded Encryption KeyJson Connection String Client Secret ExposedJson Exposed Password And Client IdsPython Hardcoded Jwt Token UsedDatabricks TokenBitbucket App PasswordProperties Exposed CredentialsMistral Api KeyGrafana TokenDeepseek Api KeyAzure Devops Personal Access TokenAlibaba Access Key IdGcp Service Account KeyAtlassian Api TokenDynatrace Api TokenMailgun Api TokenFastly Api TokenMailchimp Api KeyJson Api KeyFlutterwave Secret KeyAlgolia Admin KeyElastic Api KeyAirtable PatDigitalocean Personal Access TokenOkta Api TokenGroq Api KeyDiscord Webhook UrlIntercom Api KeyCohere Api KeySlack TokenDocker Wget PasswordPypi Upload TokenLaunchdarkly Api KeyBeamer Api KeyHuggingface Access TokenIbm Api KeyGocardless Api TokenCircleci Api TokenConfluent Secret KeyAws Access KeySlack Webhook UrlGitlab Api TokenMaxmind License KeyReplicate Api KeyStripe Secret KeyContentful Personal Access TokenAzure Sas TokenDatadog Api KeyAws Cognito Secret KeyLangfuse Api KeyMapbox Api TokenFigma Personal Access TokenMailgun Api KeyPerplexity Api KeyAzure Api KeyFrameio Api TokenBuildkite Api TokenDroneci Access TokenLangchain Api KeyMongodb Connection StringPlanetscale Api TokenAiven Api KeyHashicorp TokenDatabase Connection String Hardcoded PasswordAws Session TokenLinear Api TokenHubspot Api TokenNetlify Personal Access TokenSonar Api TokenAws Secret Access KeyTerraform Cloud TokenMicrosoft Webhook UrlNpm Access TokenDockerhub Access TokenLob Api KeyAlibaba Access Key SecretFacebook Access TokenAssemblyai Api KeyPinecone Api KeyRubygems Api TokenDuffel Api TokenGrafana Api KeyGrafana Api TokenDoppler TokenAnthropic Api KeyJfrog Api KeyGithub PatOpenai Api KeyDeepgram Api KeyDocker Env Sensitive ValueDotnet Hardcoded PasswordDropbox Access TokenScaleway Secret KeyVultr Api KeyNotion Api TokenHeroku Api KeyNvidia Api KeyClarifai Api KeyPostgresql Connection StringPagerduty Api TokenConfluent Api KeyNewrelic Api KeyNetlify Access TokenPlaid Access TokenMessagebird Api KeyGcp Api KeyGitlab Personal Access Token