Hard-coded Password
Description
A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS). The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach.
Examples
Insecure Code
scala
java.security.KeyStore.PasswordProtection("mysecretpassword".toCharArray())Secure Code
scala
java.security.KeyStore.PasswordProtection(System.getenv("PASSWORD").toCharArray())Remediation
Load passwords from a secure location such as a Key Management System (KMS) like Cloud Key Management, AWS Key Management, or Hashicorp's Vault.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0059 |
| Category | Secrets |
| Severity | HIGH |
| CWE | CWE-259 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | hard-coded password, key management system |
| OWASP | N/A |