Hardcoded Secrets
detect, understand, remediate
Hardcoded secrets (API keys, passwords, tokens, and private keys embedded in source code) are a leading cause of data breaches when code is shared, committed to repositories, or decompiled.
No credit card required. Free plan available forever.
What are hardcoded secrets?
Hardcoded secrets are sensitive credentials (such as API keys, database passwords, encryption keys, and access tokens) that are embedded directly in source code, configuration files, or CI/CD pipelines. When these secrets are committed to version control, they become accessible to anyone with repository access and persist in the git history even after deletion.
This vulnerability is one of the most common causes of data breaches. Automated bots continuously scan public repositories on GitHub, GitLab, and Bitbucket for exposed credentials. Once found, secrets are typically exploited within minutes, often before the developer realises the mistake.
Even in private repositories, hardcoded secrets violate the principle of least privilege. Every developer with code access gains access to production credentials, and secrets scattered across the codebase are nearly impossible to rotate efficiently during an incident.
How it works
Secrets committed to code
A developer hardcodes an API key, password, or token directly in source code or a configuration file and commits it to the repository.
Repository exposed
The repository is public, or an attacker gains access through a compromised developer account, leaked backup, or insider threat.
Secrets discovered
Automated scanning tools or manual code review reveal the embedded credentials. Bots can find public repo secrets in under a minute.
Credentials exploited
The attacker uses the secrets to access databases, cloud services, third-party APIs, or internal systems with full privileges.
Common causes
Developer convenience
Developers hardcode secrets for quick testing or prototyping and forget to remove them before committing to version control.
Lack of secrets management
The team has no centralised secrets management solution, so developers resort to storing credentials in code or config files.
Committed .env files
Environment files containing production secrets are accidentally committed because .gitignore is missing or misconfigured.
Secrets in CI/CD configs
API keys and tokens are hardcoded in CI/CD pipeline configurations, Dockerfiles, or infrastructure-as-code templates.
How to detect it
Automated detection
- SecPortal's code scanner detects hardcoded API keys, passwords, tokens, and private keys using pattern-based and entropy-based analysis
- Pre-commit hooks with tools like gitleaks or truffleHog prevent secrets from being committed in the first place
- Git history scanning identifies secrets in past commits that may have been removed from the current codebase but persist in history
Manual testing
- Search the codebase for common patterns: "password=", "api_key=", "secret=", "token=", and high-entropy strings
- Review .env.example files and configuration templates for accidentally included real credentials
- Inspect CI/CD pipeline configurations, Dockerfiles, and deployment scripts for embedded secrets
How to fix it
Use environment variables for all secrets
Store credentials in environment variables that are injected at runtime, never in source code or committed configuration files.
Adopt a secrets management solution
Use tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault to centralise, rotate, and audit access to secrets.
Install pre-commit hooks for secret detection
Configure pre-commit hooks with tools like gitleaks or truffleHog to automatically block commits that contain secrets.
Rotate exposed credentials immediately
When a secret is found in code, treat it as compromised. Rotate the credential immediately and audit access logs for unauthorised use.
Maintain proper .gitignore configuration
Ensure .env files, private keys, and credential files are listed in .gitignore. Verify the configuration covers all sensitive file patterns.
Compliance impact
Related vulnerabilities
Find secrets in your code
SecPortal's SAST scanner powered by Semgrep detects hardcoded API keys, passwords, and tokens. Start scanning for free.
No credit card required. Free plan available forever.