Potential information leak through comments

ID

comments

Severity

low

Vendor

-

Family

Generic secret

Description

This detector looks for potential secrets hardcoded in source code or configuration comments.

Context is important: To reduce the false positive rate, the candidate string must be preceded by a keyword that may qualify it as a secret.

Security

Developers sometimes annotate a password or a access key in source code, used during development, and forbid to remove it later.

The secret, although commented-out, is sensitive information that should not be disclosed.

Examples

# db password: K3XzyZJGQCr00

Mitigation / Fix

  1. Remove the commented secret from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which may require revoking the secret in the target system(s).

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

  4. Check access logs to ensure that the secret was not used by unintended actors during the compromised period.