Skip to main content

Hard-Coded Secrets

Why is this important?

All modern applications rely on certain secrets to run. These secrets may be database connection strings, API keys, or cryptographic keys. Keeping these secrets safe is critical to the security of the application.

If secrets are part of your source code, then the whole team has access to them. Worse, if the code is public, then everyone has access to them. Code can be public, if it's on a public Github repository, or bundled with your application, e.g. your Android app. This has led to many high-profile breaches.

Read below to find out how to fix this issue in your code.

Fixing Hard-coded Secrets

Option A: Use Environment Variables

  1. Go through the issues that GuardRails identified in the PR.

  2. If there are false positives, you can ignore lines or files.

  3. Install BFG filter.

  4. Remove the identified secrets from version control.

    # Warning: This is a destructive action.
    # To remove files containing sensitive data, run:
    bfg --delete-files YOUR-FILE-WITH-SENSITIVE-DATA
    # To replace all text listed in `passwords.txt` everywhere in your repository's history, run:
    bfg --replace-text passwords.txt
    # Warning, make sure that this is not a common word, that would replace other things.
  5. Rotate/change the identified passwords, API keys, or cryptographic keys.

  6. Replace the hard-coded secrets with an according environment variable placeholder. See below for references on how this can be done for common CI systems and usecases.

  7. Test it and ensure that the app is still working as expected.

  8. Ship it 🚢

More information