Use of hard-coded password

• Rule ID: go_gosec_secrets_secrets
• Languages: go
• Source: secrets.yml

Description

Storing sensitive information such as secret keys, passwords, or API tokens directly in source code can lead to security vulnerabilities. This practice makes it easy for malicious actors to access these secrets if the codebase is exposed or improperly accessed.

Remediations

To protect sensitive information:

✅ Dynamic Secret Retrieval

Implement mechanisms to retrieve secrets dynamically at runtime from a secure source rather than hardcoding them in the source files.

✅ Environment Variables

Use environment variables to inject secrets into the application at runtime, keeping them out of the codebase.

✅ Secrets Management Systems

Utilize dedicated secrets management tools and services that securely store and manage sensitive information.

✅ Encrypted Configuration Files

Store secrets in configuration files that are encrypted and decrypt them at runtime within the application.

✅ Access Control

Ensure that the storage location for secrets has strict access controls to prevent unauthorized access.

✅ Audit and Rotate Secrets

Regularly audit access to secrets and rotate them to minimize the risk if they are compromised.

Resources

• OWASP: Use of Hard-coded Passwords
• OWASP: Secrets Management Cheat Sheet

Associated CWE

• CWE-798: Use of Hard-coded Credentials

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_secrets_secrets

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_secrets_secrets