How to resolve hardcoded passwords

Question

The SAST scan has identified hardcoded passwords in my configuration and/or code files. How do I resolve this issue?

Answer

Hardcoding a password into a code file, especially in a compiled language, is an issue because then it is difficult to change the credential when it is necessary.

The solution would then seem to put the credential in a configuration file where it can be changed without having to update the code. This has its own problems, however. If the credential is stored in plain text (either in the code file or configuraiton file), it is exposed to other developers or anyone who has access to the source code.

Secrets such as passwords, keys, and other credentials should be stored in a secrets manager to only be applied when the application is deployed. If that is not an option and the credential must be stored in the configuration file, it must be encrypted in the configuration file.

Resolving repository history

Fixing a secret that’s been checked into a source code repository is more involved than just removing the secret from the source code and checking in a new version. That secret is now part of the repository’s history so is still exposed.

The secret that’s been checked in should be invalidated and replaced with a new secret.

The repository’s history should also be updated to remove the secret. For information on how this can be done with Git and in GitHub, please see:

• Removing sensitive data from a repository