Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

In the past, it has led to the following vulnerabilities:

• CVE-2022-25510
• CVE-2021-42635

Secrets should be stored outside of the source code in a configuration file or a management service for secrets.

This rule detects variables/fields/properties having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.

Ask Yourself Whether

• The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
• The secret is used in a production environment.
• Application re-distribution is required before updating the secret.

There would be a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

• Store the secret in a configuration file that is not pushed to the code repository.
• Use your cloud provider’s service for managing secrets.
• If a secret has been disclosed through the source code: revoke it and create a new one.

Sensitive Code Example

const string mySecret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37";

See

• OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP - Top 10 2017 Category A2 - Broken Authentication
• CWE - CWE-798 - Use of Hard-coded Credentials
• MSC - MSC03-J - Never hard code sensitive information