Detect hard-coded passwords
Hard-coded passwords are a critical security issue. When exposed, the attacker can leak data and access sensitive information.
Starting from version 2024.2, Qodana provides the HardcodedPasswords
inspection that detects hard-coded passwords and covers JavaScript and TypeScript, Java, Kotlin, and Groovy, PHP, Golang, Python, C#, JSON, YAML, and XML.
note
The
HardcodedPasswords
inspection analyzes files tracked in git with the “unchanged” status.
By default, the HardcodedPasswords
inspection reports variables with values matching built-in regex rules for hard-coded passwords. To report any variable with a suspicious name like token
or password
and a constant string value, add the following configuration in the qodana.yaml
file:
hardcodedPasswords:
reportDefaultSuspiciousVariableNames: true
You can specify your own regex rules to detect hard-coded passwords by saving them in the qodana.yaml
file, for example:
hardcodedPasswords:
# regex rules for variable values to report as hardcoded password
variableValues:
- "(?i)(xoxe-\d-[A-Z0-9]{146})"
- "perm:(?<clearSecret>[a-zA-Z=.0-9]{96}|[a-zA-Z=.0-9]{64})"
# regex rules for variable names to report as hardcoded password
variableNames:
- "password"
# regex rules for variable values to ignore (not report) as hardcoded password
ignoreVariableValues:
- "do-not-report-this-value"
# regex rules for variable names to ignore (not report) as hardcoded password
ignoreVariableNames:
- "^(?=.*\bteamcity\b)(?=.*\bkey\b).*$"
To enable your custom hard-coded password setup, save the HardcodedPasswords
configuration in the qodana.yaml
file:
include:
- name: "HardcodedPasswords"
Thanks for your feedback!