contrib.nodejsscan.jwt_hardcoded.hardcoded_jwt_secret
returntocorpAuthor
99
Download Count*
License
Hardcoded JWT secret was found. Store it properly in an environment variable.
Run Locally
Run in CI
Defintion
rules:
- id: hardcoded_jwt_secret
patterns:
- pattern-either:
- pattern: |
$JWT = require("jsonwebtoken");
...
$JWT.sign($P, "...", ...);
- pattern: |
$JWT = require("jsonwebtoken");
...
$JWT.verify($P, "...", ...);
- pattern: |
$JWT = require("jsonwebtoken");
...
$SECRET = "...";
...
$JWT.sign($P, $SECRET, ...);
- pattern: |
$JWT = require("jsonwebtoken");
...
$SECRET = "...";
...
$JWT.verify($P, $SECRET, ...);
- pattern: |
$JOSE = require("jose");
...
$JOSE.JWT.sign($P, "...", ...);
- pattern: |
$JOSE = require("jose");
...
$JOSE.JWT.verify($P, "...", ...);
- pattern: |
$JOSE = require("jose");
...
$JOSE.JWT.sign($P, $JOSE.JWK.asKey("..."), ...);
- pattern: |
$JOSE = require("jose");
...
$JOSE.JWT.verify($P, $JOSE.JWK.asKey("..."), ...);
- pattern: |
$JOSE = require("jose");
...
$SECRET = "...";
...
$JOSE.JWT.sign($P, $SECRET, ...);
- pattern: |
$JOSE = require("jose");
...
$SECRET = "...";
...
$JOSE.JWT.verify($P, $SECRET, ...);
- pattern: |
$JOSE = require("jose");
...
$SECRET = "...";
...
$JOSE.JWT.sign($P, $JOSE.JWK.asKey($SECRET), ...);
- pattern: |
$JOSE = require("jose");
...
$SECRET = "...";
...
$JOSE.JWT.verify($P, $JOSE.JWK.asKey($SECRET), ...);
message: Hardcoded JWT secret was found. Store it properly in an environment
variable.
languages:
- javascript
severity: ERROR
metadata:
owasp: A03:2017 - Sensitive Data Exposure
cwe: "CWE-798: Use of Hard-coded Credentials"
category: security
technology:
- node.js
- jwt
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Short Link: https://sg.run/7o6G