Usage of hard-coded password
- Rule ID: ruby_rails_insecure_http_password
- Languages: ruby
- Source: insecure_http_password.yml
Description
Basic authentication restricts access to a web application by requiring users to provide a username and password. Passwords should never be stored in plain text. We should use environment variables instead.
Remediations
❌ If you have to use basic authentication, do not store the password in plain text but use an environment variable instead
http_basic_authenticate_with password: ENV["basic_auth_password"]
Resources
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=ruby_rails_insecure_http_password
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=ruby_rails_insecure_http_password