contrib.nodejsscan.hardcoded_secrets.node_api_key
returntocorpAuthor
99
Download Count*
License
A hardcoded API Key is identified. Store it properly in an environment variable.
Run Locally
Run in CI
Defintion
rules:
- id: node_api_key
patterns:
- pattern-not: $X = ''
- pattern-not: $OBJ[$X] = ''
- pattern-not: $OBJ. ... .$X = ''
- pattern-either:
- pattern: $X = '...'
- pattern: $OBJ[$X] = '...'
- pattern: $OBJ. ... .$X = '...'
- pattern: $F. ... .constant('$X','...')
- metavariable-regex:
metavariable: $X
regex: (?i)(.*api_key|.*apikey)
message: A hardcoded API Key is identified. Store it properly in an environment
variable.
languages:
- javascript
severity: ERROR
metadata:
likelihood: LOW
impact: MEDIUM
confidence: LOW
category: security
subcategory:
- audit
cwe:
- "CWE-798: Use of Hard-coded Credentials"
cwe2021-top25: true
cwe2022-top25: true
owasp:
- A07:2021 - Identification and Authentication Failures
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_CheatSheet.html
technology:
- node.js
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
hardcoded_secrets.js
// ruleid:node_password
password = '1212';
x = 1;
password = x;
pass = 123;
// ruleid:node_password
PASSWORD = '12211';
// ruleid:node_password
obj['password'] = '121233';
// ruleid:node_password
obj2.password = '1234';
// ruleid:node_password
obj2.pass = '1234';
// ruleid:node_password
obj2["pass"] = '1234';
// ruleid:node_password
const password = '1212';
// ruleid:node_password
let password = '1212';
// ruleid:node_password
var password = '1212';
// ruleid:node_api_key
angular.module('starter.services', [])
.constant('api_key', '6e906986c3b199c51fff3154cfb76979')
this.apiUrl = api_url;
Short Link: https://sg.run/XBJw