Usage of hard-coded password

• Rule ID: ruby_rails_insecure_http_password
• Languages: ruby
• Source: insecure_http_password.yml

Description

Storing passwords in plain text within your code, especially for basic authentication, poses a significant security risk. This practice can lead to unauthorized access if the codebase is compromised.

Remediations

• Do not hard-code passwords directly in your code. This makes your application vulnerable to attacks if the source code is exposed.

    http_basic_authenticate_with password: "hardcoded_password" # unsafe

• Do use environment variables to store sensitive information such as passwords. This method keeps credentials out of your codebase and makes them easier to manage securely.

    http_basic_authenticate_with password: ENV["basic_auth_password"]

References

• Ruby on Rails HTTP Basic Authentication
• OWASP hardcoded passwords

Associated CWE

• CWE-259: Use of Hard-coded Password

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_http_password

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_http_password