Usage of hard-coded secret

• Rule ID: go_gosec_secrets_secrets
• Languages: go
• Source: secrets.yml

Description

Storing secrets like keys, passwords, or API tokens in your source code introduces a significant security risk. If your code is exposed or accessed improperly, these secrets can be easily obtained by attackers.

Remediations

• Do implement dynamic secret retrieval. Fetch secrets at runtime from a secure source instead of embedding them in your source files.
• Do use environment variables to provide secrets to your application at runtime, keeping them out of your source code.
• Do utilize secrets management systems. These tools securely store and handle sensitive information away from your codebase.
• Do store secrets in encrypted configuration files. Decrypt these secrets only within the application at runtime.
• Do ensure strict access control for the storage locations of your secrets to prevent unauthorized access.
• Do regularly audit and rotate secrets to reduce risks in case they are compromised.

References

• OWASP: Use of Hard-coded Passwords
• OWASP: Secrets Management Cheat Sheet

Associated CWE

• CWE-798: Use of Hard-coded Credentials

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_secrets_secrets

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_secrets_secrets