javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret

rules:
  - id: express-jwt-hardcoded-secret
    message: A hard-coded credential was detected. It is not recommended to store
      credentials in source-code, as this risks secrets being leaked and used by
      either an internal or external malicious adversary. It is recommended to
      use environment variables to securely provide credentials or retrieve
      credentials from a secure vault or HSM (Hardware Security Module).
    options:
      interfile: true
    metadata:
      interfile: true
      cwe:
        - "CWE-798: Use of Hard-coded Credentials"
      references:
        - https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
      owasp:
        - A07:2021 - Identification and Authentication Failures
      category: security
      technology:
        - express
        - secrets
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: HIGH
      impact: MEDIUM
      confidence: HIGH
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Hard-coded Secrets
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern-inside: |
              $JWT = require('express-jwt');
              ...
          - pattern-inside: |
              import $JWT from 'express-jwt';
              ...
          - pattern-inside: |
              import * as $JWT from 'express-jwt';
              ...
          - pattern-inside: |
              import { ..., $JWT, ... } from 'express-jwt';
              ...
      - pattern-either:
          - pattern: |
              $JWT({...,secret: "$Y",...},...)
          - pattern: |
              $OPTS = "$Y";
              ...
              $JWT({...,secret: $OPTS},...);
      - focus-metavariable: $Y