Hardcoded Secrets and API Keys
criticalWhat is Hardcoded Secrets?
API keys, database passwords, private keys, and tokens embedded directly in source code, configuration files, or environment variable definitions are trivially discoverable by anyone with repository access.
How it works
Developers embed secrets directly in code for convenience during development and forget to remove them before committing. Once pushed to a repository (even temporarily), secrets are in the git history permanently. Automated scanners crawl public repositories and can extract valid credentials within minutes of a push.
Impact
Unauthorised access to cloud infrastructure (AWS, GCP, Azure), database compromise, API abuse, cryptocurrency theft, email account takeover, and supply chain compromise through package registry tokens.
ShieldReport's Secrets Scanner uses pattern matching and entropy analysis to detect API keys, private keys, database connection strings, OAuth tokens, and other credential formats in code and configuration files.
How to fix it
Use environment variables loaded from a secret manager (AWS Secrets Manager, HashiCorp Vault, Doppler). Rotate any exposed credentials immediately. Add secret detection to pre-commit hooks and CI/CD pipelines. Use .gitignore to exclude .env files.
Code example
Vulnerable
// VULNERABLE: hardcoded API key
const stripe = require('stripe')('sk_live_abc123...')
const db = mysql.connect('mysql://root:password@db:3306/app')Secure
// SECURE: environment variables from secret manager
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY)
const db = mysql.connect(process.env.DATABASE_URL)Related CVEs
Tags
Is your site vulnerable to Hardcoded Secrets?
Run a free scan to find out in under 2 minutes.
Scan Now