Hard-coding secrets in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes credentials and tokens, increasing the risk of unauthorized access and data breaches.
This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.
Secrets should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s secrets management service. If a secret is exposed in the source code, it must be rotated immediately.
$secret = '47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37'; // Noncompliant MyClass->callMyService($secret);
Using AWS Secrets Manager:
use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;
$client = new SecretsManagerClient(...);
$secretName = 'example';
doSomething($client, $secretName)
function doSomething($client, $secretName) {
try {
$result = $client->getSecretValue([
'SecretId' => $secretName,
]);
} catch (AwsException $e) {
...
}
if (isset($result['SecretString'])) {
$secret = $result['SecretString'];
} else {
$secret = base64_decode($result['SecretBinary']);
}
// do something with the secret
MyClass->callMyService($secret);
}