Use of Hard-coded Password

ID

scala.password.scala_password_rule_hardcodepassword

Severity

high

Resource

Password

Language

Scala

Description

A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

Rationale

A potential hard-coded password was identified in the source code. Passwords should not be stored directly in code but loaded from secure locations such as a Key Management System (KMS).

The purpose of using a Key Management System is so access can be audited and keys easily rotated in the event of a breach. By hardcoding passwords, it will be extremely difficult to determine when or if, a key is compromised.

The recommendation on which KMS to use depends on the environment the application is running in:

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References