Sensei Logo Sensei Hub

Recipe - Avoid hardcoded secrets

Description:
Secrets should not be stored in code
Level:
error
Language:
  • java
Tags:
  • security
  • framework specific
  • AWS
Documentation

Hardcoded credentials pose a security risk. As credentials are frequently reused, a hacker, with access to the repository with hardcoded credentials, could use this information to compromise other systems/applications. Another possible scenario is that the code could end up being published, making the credentials publicly available to anyone.

A possible way of safeguarding your AWS Session Credentials could be to store them in environment variables. This will limit the risk of exposure to a certain degree.

Before
AwsSessionCredentials.create(
    "accessKey",
    "secretKey",
    "sessionToken");
After
AwsSessionCredentials.create(
    System.getenv("accessKey"),
    System.getenv("secretKey"),
    System.getenv("sessionToken"));
Resources
Recipe
id: scw:aws:hardcoded-secrets
version: 10
metadata:
  name: Avoid hardcoded secrets
  shortDescription: Secrets should not be stored in code
  level: error
  language: java
  scwCategory: insecure_data_storage:plaintext_storage_of_credentials
  enabled: true
  descriptionFile: descriptions/Avoidhardcodedsecrets.html
  tags: security;framework specific;AWS
search:
  methodcall:
    args:
      any:
        value:
          containsUntrustedInput: false
    name: create
    declaration:
      type: software.amazon.awssdk.auth.credentials.AwsSessionCredentials
availableFixes:
- name: Visit the AWS secretsmanager documentation
  actions:
  - goto:
      type: URL
      value: https://docs.aws.amazon.com/code-samples/latest/catalog/code-catalog-javav2-example_code-secretsmanager.html
      target: self
- name: Retrieve the secrets from an environment variable
  actions:
  - rewrite:
      to: |-
        software.amazon.awssdk.auth.credentials.AwsSessionCredentials.create(
        java.lang.System.getenv("AWS_ACCESS_KEY_ID"),
        java.lang.System.getenv("AWS_SECRET_ACCESS_KEY"),
        java.lang.System.getenv("AWS_SESSION_TOKEN"))
      target: self