Usage of hard-coded secret

  • Rule ID: go_gosec_secrets_secrets
  • Languages: go
  • Source: secrets.yml


Storing secrets like keys, passwords, or API tokens in your source code introduces a significant security risk. If your code is exposed or accessed improperly, these secrets can be easily obtained by attackers.


  • Do implement dynamic secret retrieval. Fetch secrets at runtime from a secure source instead of embedding them in your source files.
  • Do use environment variables to provide secrets to your application at runtime, keeping them out of your source code.
  • Do utilize secrets management systems. These tools securely store and handle sensitive information away from your codebase.
  • Do store secrets in encrypted configuration files. Decrypt these secrets only within the application at runtime.
  • Do ensure strict access control for the storage locations of your secrets to prevent unauthorized access.
  • Do regularly audit and rotate secrets to reduce risks in case they are compromised.


Associated CWE

OWASP Top 10


To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_secrets_secrets

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_secrets_secrets