Recipe Name:
Avoid hardcoded secrets
Description:
Secrets should not be stored in code
Level:
error
Language:
- java
Tags:
- security
- framework specific
- AWS
Documentation
Hardcoded credentials pose a security risk. As credentials are frequently reused, a hacker, with access to the repository with hardcoded credentials, could use this information to compromise other systems/applications. Another possible scenario is that the code could end up being published, making the credentials publicly available to anyone.
A possible way of safeguarding your AWS Session Credentials could be to store them in environment variables. This will limit the risk of exposure to a certain degree.
BeforeAwsSessionCredentials.create(
"accessKey",
"secretKey",
"sessionToken");
After
AwsSessionCredentials.create(
System.getenv("accessKey"),
System.getenv("secretKey"),
System.getenv("sessionToken"));
Resources
Recipe
id: scw:aws:hardcoded-secrets
version: 10
metadata:
name: Avoid hardcoded secrets
shortDescription: Secrets should not be stored in code
level: error
language: java
scwCategory: insecure_data_storage:plaintext_storage_of_credentials
enabled: true
descriptionFile: descriptions/Avoidhardcodedsecrets.html
tags: security;framework specific;AWS
search:
methodcall:
args:
any:
value:
containsUntrustedInput: false
name: create
declaration:
type: software.amazon.awssdk.auth.credentials.AwsSessionCredentials
availableFixes:
- name: Visit the AWS secretsmanager documentation
actions:
- goto:
type: URL
value: https://docs.aws.amazon.com/code-samples/latest/catalog/code-catalog-javav2-example_code-secretsmanager.html
target: self
- name: Retrieve the secrets from an environment variable
actions:
- rewrite:
to: |-
software.amazon.awssdk.auth.credentials.AwsSessionCredentials.create(
java.lang.System.getenv("AWS_ACCESS_KEY_ID"),
java.lang.System.getenv("AWS_SECRET_ACCESS_KEY"),
java.lang.System.getenv("AWS_SESSION_TOKEN"))
target: self