Usage of hard-coded secret
- Rule ID: go_gosec_secrets_secrets
- Languages: go
- Source: secrets.yml
Description
Storing secrets like keys, passwords, or API tokens in your source code introduces a significant security risk. If your code is exposed or accessed improperly, these secrets can be easily obtained by attackers.
Remediations
- Do implement dynamic secret retrieval. Fetch secrets at runtime from a secure source instead of embedding them in your source files.
- Do use environment variables to provide secrets to your application at runtime, keeping them out of your source code.
- Do utilize secrets management systems. These tools securely store and handle sensitive information away from your codebase.
- Do store secrets in encrypted configuration files. Decrypt these secrets only within the application at runtime.
- Do ensure strict access control for the storage locations of your secrets to prevent unauthorized access.
- Do regularly audit and rotate secrets to reduce risks in case they are compromised.
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_secrets_secrets
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_secrets_secrets