Hard-coded secret detected.
- Rule ID: javascript_express_hardcoded_secret
- Languages: javascript
- Source: hardcoded_secret.yml
Description
Code is not a safe place to store secrets. Use environment variables or a secret management system instead.
Remediations
❌ Do not store plaintext secrets in your code
app.use(
session({
secret: "shh-my-secret",
name: "my-custom-session-name",
})
)
✅ Use environment variables
app.use(
session({
secret: process.env.secret,
name: "my-custom-session-name",
})
)
✅ Use a secret management system or even better, a key management service (KMS) with encryption
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=javascript_express_hardcoded_secret
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=javascript_express_hardcoded_secret
Ready to take the next step? Learn more about Bearer Cloud.