Use of hard-coded password
- Rule ID: go_gosec_secrets_secrets
- Languages: go
- Source: secrets.yml
Storing sensitive information such as secret keys, passwords, or API tokens directly in source code can lead to security vulnerabilities. This practice makes it easy for malicious actors to access these secrets if the codebase is exposed or improperly accessed.
To protect sensitive information:
✅ Dynamic Secret Retrieval
Implement mechanisms to retrieve secrets dynamically at runtime from a secure source rather than hardcoding them in the source files.
✅ Environment Variables
Use environment variables to inject secrets into the application at runtime, keeping them out of the codebase.
✅ Secrets Management Systems
Utilize dedicated secrets management tools and services that securely store and manage sensitive information.
✅ Encrypted Configuration Files
Store secrets in configuration files that are encrypted and decrypt them at runtime within the application.
✅ Access Control
Ensure that the storage location for secrets has strict access controls to prevent unauthorized access.
✅ Audit and Rotate Secrets
Regularly audit access to secrets and rotate them to minimize the risk if they are compromised.
OWASP Top 10
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=go_gosec_secrets_secrets
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=go_gosec_secrets_secrets
Ready to take the next step? Learn more about Bearer Cloud.