Hardcoded Secrets in Code
What is Hardcoded Secrets in Code?
Hardcoded Secrets in CodeEmbedding credentials, API keys, tokens, or cryptographic material directly in source code, configuration files, or container images, where they are easily discovered and abused.
Hardcoded secrets are one of the most common and damaging mistakes in modern development. They end up in Git history, container layers, mobile apps, CI logs, and public repositories, where bots scan them within minutes. Real-world exposures include AWS keys committed to GitHub, Slack tokens in client-side bundles, and database passwords baked into Docker images. Mitigations combine prevention (developer education, pre-commit hooks, IDE plugins, .gitignore patterns), detection (secret scanning in repos and CI such as GitHub secret scanning, Gitleaks, TruffleHog), and centralised secret management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Kubernetes External Secrets). When detected, secrets must be rotated immediately, not just deleted from history.
● Examples
- 01
AWS access key committed to a public GitHub repository and abused within minutes.
- 02
OAuth client secret embedded in a mobile app binary.
● Frequently asked questions
What is Hardcoded Secrets in Code?
Embedding credentials, API keys, tokens, or cryptographic material directly in source code, configuration files, or container images, where they are easily discovered and abused. It belongs to the Application Security category of cybersecurity.
What does Hardcoded Secrets in Code mean?
Embedding credentials, API keys, tokens, or cryptographic material directly in source code, configuration files, or container images, where they are easily discovered and abused.
How does Hardcoded Secrets in Code work?
Hardcoded secrets are one of the most common and damaging mistakes in modern development. They end up in Git history, container layers, mobile apps, CI logs, and public repositories, where bots scan them within minutes. Real-world exposures include AWS keys committed to GitHub, Slack tokens in client-side bundles, and database passwords baked into Docker images. Mitigations combine prevention (developer education, pre-commit hooks, IDE plugins, .gitignore patterns), detection (secret scanning in repos and CI such as GitHub secret scanning, Gitleaks, TruffleHog), and centralised secret management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Kubernetes External Secrets). When detected, secrets must be rotated immediately, not just deleted from history.
How do you defend against Hardcoded Secrets in Code?
Defences for Hardcoded Secrets in Code typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Hardcoded Secrets in Code?
Common alternative names include: Hardcoded credentials, Secret leakage in code.
● Related terms
- identity-access№ 233
Credential Vault
A centralized, audited service that securely stores, rotates, and brokers access to secrets such as passwords, API keys, certificates, and SSH keys.
- appsec№ 982
Secure Coding
The practice of writing source code in ways that minimize security defects, following defensive patterns, language-specific rules and recognized guidelines.
- appsec№ 166
CI/CD Security
The set of controls protecting continuous integration and continuous delivery pipelines from compromise, code injection, secret leakage, and unauthorized deployments.
- appsec№ 1069
Software Supply Chain Security
The discipline of protecting every link of the software production chain - source, dependencies, build, signing, distribution, and deployment - against tampering, malicious code, and integrity loss.
- appsec№ 444
GitOps Security
Security practices for GitOps workflows, where the declarative desired state of infrastructure and applications is stored in Git and reconciled into production by an automated controller.
- compliance№ 781
OWASP Top 10
An OWASP awareness document that lists the most critical security risks to web applications, updated periodically from real-world vulnerability data.