Bug WikiSecurity & Access ControlHardcoded credentials
7 examples

Hardcoded credentials

Credentials embedded directly into source code, risking security.

[ FAQ1 ]

What are hardcoded credentials?

Hardcoded credentials occur when developers embed sensitive information such as API keys, passwords, tokens, or other secrets directly into source code. While this practice simplifies testing and development, it poses severe security risks if the source code becomes publicly accessible or compromised. Attackers commonly target exposed credentials, gaining unauthorized access to sensitive resources, data breaches, or system compromise. Hardcoded credentials are a common security vulnerability and a frequent target of automated scanning tools.
[ FAQ2 ]

How to remove hardcoded credentials from code

To remove hardcoded credentials, extract sensitive information from source code and use secure methods like environment variables, configuration files outside version control, or specialized secret management solutions. Implement automated secret scanning tools in your CI/CD pipelines to detect and flag embedded secrets proactively. Adopt best practices by clearly separating configuration from code, making sure sensitive information remains externalized and securely stored. Regular code reviews and developer training reinforce awareness of credential security, preventing inadvertent exposure of sensitive authentication information.
openintegrations/openint·#495
diff block
.string()
.default('postgres://postgres:password@db.localtest.me:5432/postgres'),
Greptile
greptile
style: Default DATABASE_URL contains hardcoded credentials. Consider making this required in production for security.
helicone/helicone·#3698
diff block
# flyway.conf
-# Database connection details (match docker-compose.yml)
+# Database connection details
+# These values can be overridden by environment variables:
+# - FLYWAY_URL
+# - FLYWAY_USER
+# - FLYWAY_PASSWORD
flyway.url=REDACTED_BY_GREPTILE
flyway.user=REDACTED_BY_GREPTILE
flyway.password=REDACTED_BY_GREPTILE
Greptile
greptile
style: Consider using environment variables instead of hardcoded credentials in the config file, especially since the override capability is now documented
suggested fix
+flyway.url=${FLYWAY_URL}
+flyway.user=${FLYWAY_USER}
+flyway.password=${FLYWAY_PASSWORD}
nazgul-beta/webapp·#3
diff block
+import sqlite3
+
+conn = sqlite3.connect('database.db')
+cursor = conn.cursor()
+
+# Hardcoded credentials
+USERNAME = "REDACTED_BY_GREPTILE"
+PASSWORD = "REDACTED_BY_GREPTILE"
Greptile
greptile
logic: Remove hardcoded credentials. These pose a security risk and are unused in the code
suggested fix
+# Remove unused test credentials
rivet-gg/rivet·#2008
diff block
server:
rivet:
- edge:
- # TODO:
- cluster_id: REDACTED_BY_GREPTILE
- datacenter_id: REDACTED_BY_GREPTILE
- server_token: REDACTED_BY_GREPTILE
+ auth:
+ access_kind: REDACTED_BY_GREPTILE
+
+ ui:
+ public_origin_regex: REDACTED_BY_GREPTILE
+
+ guard:
+ # TLS not configured for local development
+ tls_enabled: REDACTED_BY_GREPTILE
+ # Corresponds to the ports configured in the `docker-compose.yml`
+ http_port: REDACTED_BY_GREPTILE
+ https_port: REDACTED_BY_GREPTILE
+ min_ingress_port_tcp: REDACTED_BY_GREPTILE
+ max_ingress_port_tcp: REDACTED_BY_GREPTILE
+ min_ingress_port_udp: REDACTED_BY_GREPTILE
+ max_ingress_port_udp: REDACTED_BY_GREPTILE
+
+ # Enable status checks if testing status check project
+ status:
+ token: REDACTED_BY_GREPTILE
+ system_test_isolate_project: REDACTED_BY_GREPTILE
+ system_test_isolate_environment: REDACTED_BY_GREPTILE
+ foundationdb:
+ connection: REDACTED_BY_GREPTILE
Greptile
greptile
style: FoundationDB connection string contains hardcoded credentials - should use environment variables
rivet-gg/rivet·#1850
diff block
}
]
},
+ "fdb": {
+ "default": {
+ "connection": "REDACTED_BY_GREPTILE
"
+ },
+ "allOf": [
+ {
+ "$ref": "REDACTED_BY_GREPTILE"
+ }
+ ]
+ },
Greptile
greptile
style: The default FDB connection string uses hardcoded credentials (fdb:fdb). Consider making these configurable or using environment variables.
onyx-dot-app/onyx·#4315
diff block
+"""
+Manual test for the Backstage connector against a real Backstage instance.
+
+This test is designed to be run manually with real credentials.
+It is not intended to be part of the automated test suite.
+
+To run this test:
+1. Set the environment variables for your Backstage instance:
+ - BACKSTAGE_BASE_URL: REDACTED_BY_GREPTILE
+ - BACKSTAGE_CLIENT_ID: REDACTED_BY_GREPTILE
+ - BACKSTAGE_CLIENT_SECRET: REDACTED_BY_GREPTILE
+ - BACKSTAGE_TOKEN_ENDPOINT: REDACTED_BY_GREPTILE
+
+2. Run the script from the backend directory:
+ python tests/manual/test_backstage_connector_real.py
+"""
+import pytest
+import os
+import sys
+import logging
+from datetime import datetime, timedelta
+from typing import List
+
+# Add the parent directory to the path to allow importing onyx modules
+sys.path.insert(0, os.path.abspath(os.path.dirname(os.path.dirname(os.path.dirname(__file__)))))
+from onyx.connectors.backstage.connector import BackstageConnector
+from onyx.connectors.models import Document
+
+# Set up logging
+logging.basicConfig(
+ level=logging.INFO,
+ format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+)
+logger = logging.getLogger(__name__)
+
+
+def check_environment_variables() -> bool:
+ """Check if all required environment variables are set."""
+ required_vars = [
+ "BACKSTAGE_BASE_URL",
+ "BACKSTAGE_CLIENT_ID",
+ "BACKSTAGE_CLIENT_SECRET",
+ "BACKSTAGE_TOKEN_ENDPOINT",
+ ]
+ missing_vars = [var for var in required_vars if var not in os.environ]
+
+ if missing_vars:
+ logger.error(f"Missing environment variables: {', '.join(missing_vars)}")
+ logger.error("Please set all required environment variables before running this test.")
+ return False
+ return True
+
+
+# def test_connector_init() -> BackstageConnector:
+# """Test initializing the connector."""
+# base_url = os.environ["BACKSTAGE_BASE_URL"]
+#
+# logger.info(f"Initializing connector with base URL: {base_url}")
+# connector = BackstageConnector(
+# base_url=base_url,
+# entity_kinds=[
+# BACKSTAGE_ENTITY_KINDS.COMPONENT.value,
+# BACKSTAGE_ENTITY_KINDS.API.value,
+# BACKSTAGE_ENTITY_KINDS.SYSTEM.value,
+# # Add more entity kinds as needed
+# ],
+# batch_size=100,
+# )
+#
+# return connector
+
+@pytest.fixture
+def backstage_connector(request: pytest.FixtureRequest) -> BackstageConnector:
+ scroll_before_scraping = request.param
+ base_url = "https://portal.services.as24.tech/"
+ connector = BackstageConnector(base_url)
+ return connector
+
+@pytest.mark.parametrize("backstage_connector", [True], indirect=True)
+def test_authentication(backstage_connector: BackstageConnector) -> bool:
+ """Test authentication against the real Backstage instance."""
+ logger.info("Testing authentication...")
+ try:
+ credentials = {
+ "backstage_client_id": 'REDACTED_BY_GREPTILE',
+ "backstage_client_secret": 'REDACTED_BY_GREPTILE',
+ "backstage_token_endpoint": REDACTED_BY_GREPTILE',
+ }
Greptile
greptile
logic: Remove hardcoded credentials and use environment variables instead
suggested fix
credentials = {
+ "backstage_client_id": os.environ["BACKSTAGE_CLIENT_ID"],
+ "backstage_client_secret": os.environ["BACKSTAGE_CLIENT_SECRET"],
+ "backstage_token_endpoint": os.environ["BACKSTAGE_TOKEN_ENDPOINT"],
}
rivet-gg/rivet·#1850
diff block
}
}
}
+
+#[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]
+#[serde(rename_all = "snake_case", deny_unknown_fields)]
+pub struct Fdb {
+ pub connection: String,
+}
+
+impl Default for Fdb {
+ fn default() -> Self {
+ Self {
+ connection: "REDACTED_BY_GREPTILE,
Greptile
greptile
style: Default connection string uses hardcoded credentials (fdb:fdb). Consider making these configurable or documenting that these are development-only defaults.