Why is this an issue?

Hard-coding credentials in source code or binaries makes it easy for attackers to extract sensitive information, especially in distributed or open-source applications. This practice exposes your application to significant security risks.

This rule flags instances of hard-coded credentials used in database and LDAP connections. It looks for hard-coded credentials in connection strings, and for variable names that match any of the patterns from the provided list.

In the past, it has led to the following vulnerabilities:

• CVE-2019-13466
• CVE-2018-15389

How to fix it

Credentials should be stored in a configuration file that is not committed to the code repository, in a database, or managed by your cloud provider’s secrets management service. If a password is exposed in the source code, it must be changed immediately.

Code Examples

Noncompliant code example

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
    - name: my-container
      env:
        - name: password
          value: f68rth6sd5g61gs5  # Noncompliant

Compliant solution

apiVersion: v1
kind: Pod
metadata:
  name: app
spec:
  containers:
    - name: my-container
      env:
        - name: password
          valueFrom:
            secretKeyRef:
              name: my-secret
              key: password-key

Resources

• OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
• OWASP - Top 10 2017 Category A2 - Broken Authentication
• CWE - CWE-798 - Use of Hard-coded Credentials
• CWE - CWE-259 - Use of Hard-coded Password
• Derived from FindSecBugs rule Hard Coded Password