Usage of hard-coded password

Description

Basic authentication restricts access to a web application by requiring users to provide a username and password. Passwords should never be stored in plain text. We should use environment variables instead.

Remediations

❌ If you have to use basic authentication, do not store the password in plain text but use an environment variable instead

  http_basic_authenticate_with password: ENV["basic_auth_password"]

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_http_password

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_http_password

Ready to take the next step? Learn more about Bearer Cloud.