Hard-coding credentials in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes your application to significant security risks.
This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.
Credentials should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s secrets management service. If a password is exposed in the source code, it must be changed immediately.
$password = "65DBGgwe4uazdWQA"; // Noncompliant $httpUrl = "https://example.domain?user=user&password=65DBGgwe4uazdWQA" // Noncompliant $sshUrl = "ssh://user:65DBGgwe4uazdWQA@example.domain" // Noncompliant
$user = getUser(); $password = getPassword(); // Compliant $httpUrl = "https://example.domain?user=$user&password=$password" // Compliant $sshUrl = "ssh://$user:$password@example.domain" // Compliant