Usage of hard-coded password

• Rule ID: ruby_rails_insecure_http_password
• Languages: ruby
• Source: insecure_http_password.yml

Description

Basic authentication restricts access to a web application by requiring users to provide a username and password. Passwords should never be stored in plain text. We should use environment variables instead.

Remediations

❌ If you have to use basic authentication, do not store the password in plain text but use an environment variable instead

  http_basic_authenticate_with password: ENV["basic_auth_password"]

Resources

• Ruby on Rails HTTP Basic Authentication
• OWASP hardcoded passwords

Associated CWE

• CWE-259: Use of Hard-coded Password

OWASP Top 10

• A07:2021 - Identification and Authentication Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_http_password

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_http_password