Qodana 2024.3 Help

Detect hard-coded passwords

Hard-coded passwords are a critical security issue. When exposed, the attacker can leak data and access sensitive information.

Starting from version 2024.2, Qodana provides the HardcodedPasswords inspection that detects hard-coded passwords and covers the following languages: JavaScript and TypeScript, Java, Kotlin, and Groovy, PHP, Golang, Python, C#, JSON, YAML, and XML.

How it works

By default, the HardcodedPasswords inspection reports variables with values matching built-in regex rules for hard-coded passwords. To report any variable with a suspicious name like token or password and a constant string value, add the following configuration in the qodana.yaml file:

hardcodedPasswords: reportDefaultSuspiciousVariableNames: true

You can specify your own regex rules to detect hard-coded passwords by saving them in the qodana.yaml file, for example:

hardcodedPasswords: # regex rules for variable values to report as hardcoded password variableValues: - "(?i)(xoxe-\d-[A-Z0-9]{146})" - "perm:(?<clearSecret>[a-zA-Z=.0-9]{96}|[a-zA-Z=.0-9]{64})" # regex rules for variable names to report as hardcoded password variableNames: - "password" # regex rules for variable values to ignore (not report) as hardcoded password ignoreVariableValues: - "do-not-report-this-value" # regex rules for variable names to ignore (not report) as hardcoded password ignoreVariableNames: - "^(?=.*\bteamcity\b)(?=.*\bkey\b).*$"

To enable your custom hard-coded password setup, save the HardcodedPasswords configuration in the qodana.yaml file:

include: - name: "HardcodedPasswords"
Last modified: 25 September 2024