Bug Wiki Security & Access ControlHardcoded credentials

7 examples

Hardcoded credentials

Credentials embedded directly into source code, risking security.

[ FAQ1 ]

What are hardcoded credentials?

Hardcoded credentials occur when developers embed sensitive information such as API keys, passwords, tokens, or other secrets directly into source code. While this practice simplifies testing and development, it poses severe security risks if the source code becomes publicly accessible or compromised. Attackers commonly target exposed credentials, gaining unauthorized access to sensitive resources, data breaches, or system compromise. Hardcoded credentials are a common security vulnerability and a frequent target of automated scanning tools.

[ FAQ2 ]

How to remove hardcoded credentials from code

To remove hardcoded credentials, extract sensitive information from source code and use secure methods like environment variables, configuration files outside version control, or specialized secret management solutions. Implement automated secret scanning tools in your CI/CD pipelines to detect and flag embedded secrets proactively. Adopt best practices by clearly separating configuration from code, making sure sensitive information remains externalized and securely stored. Regular code reviews and developer training reinforce awareness of credential security, preventing inadvertent exposure of sensitive authentication information.

openintegrations/openint·#495

diff block

.string()

.default('postgres://postgres:password@db.localtest.me:5432/postgres'),

greptile

style: Default DATABASE_URL contains hardcoded credentials. Consider making this required in production for security.

helicone/helicone·#3698

diff block

# flyway.conf

-# Database connection details (match docker-compose.yml)

+# Database connection details

+# These values can be overridden by environment variables:

+# - FLYWAY_URL

+# - FLYWAY_USER

+# - FLYWAY_PASSWORD

flyway.url=REDACTED_BY_GREPTILE

flyway.user=REDACTED_BY_GREPTILE

flyway.password=REDACTED_BY_GREPTILE

greptile

style: Consider using environment variables instead of hardcoded credentials in the config file, especially since the override capability is now documented

suggested fix

+flyway.url=${FLYWAY_URL}

+flyway.user=${FLYWAY_USER}

+flyway.password=${FLYWAY_PASSWORD}

nazgul-beta/webapp·#3

diff block

+import sqlite3

+conn = sqlite3.connect('database.db')

+cursor = conn.cursor()

+# Hardcoded credentials

+USERNAME = "REDACTED_BY_GREPTILE"

+PASSWORD = "REDACTED_BY_GREPTILE"

greptile

logic: Remove hardcoded credentials. These pose a security risk and are unused in the code

suggested fix

+# Remove unused test credentials

rivet-gg/rivet·#2008

diff block

server:

rivet:

- edge:

- # TODO:

- cluster_id: REDACTED_BY_GREPTILE

- datacenter_id: REDACTED_BY_GREPTILE

- server_token: REDACTED_BY_GREPTILE

+ auth:

+ access_kind: REDACTED_BY_GREPTILE

+ ui:

+ public_origin_regex: REDACTED_BY_GREPTILE

+ guard:

+ # TLS not configured for local development

+ tls_enabled: REDACTED_BY_GREPTILE

+ # Corresponds to the ports configured in the `docker-compose.yml`

+ http_port: REDACTED_BY_GREPTILE

+ https_port: REDACTED_BY_GREPTILE

+ min_ingress_port_tcp: REDACTED_BY_GREPTILE

+ max_ingress_port_tcp: REDACTED_BY_GREPTILE

+ min_ingress_port_udp: REDACTED_BY_GREPTILE

+ max_ingress_port_udp: REDACTED_BY_GREPTILE

+ # Enable status checks if testing status check project

+ status:

+ token: REDACTED_BY_GREPTILE

+ system_test_isolate_project: REDACTED_BY_GREPTILE

+ system_test_isolate_environment: REDACTED_BY_GREPTILE

+ foundationdb:

+ connection: REDACTED_BY_GREPTILE

greptile

style: FoundationDB connection string contains hardcoded credentials - should use environment variables

rivet-gg/rivet·#1850

diff block

}

]

+ "fdb": {

+ "default": {

+ "connection": "REDACTED_BY_GREPTILE

+ },

+ "allOf": [

+ {

+ "$ref": "REDACTED_BY_GREPTILE"

+ }

+ ]

+ },

greptile

style: The default FDB connection string uses hardcoded credentials (fdb:fdb). Consider making these configurable or using environment variables.

onyx-dot-app/onyx·#4315

diff block

+"""

+Manual test for the Backstage connector against a real Backstage instance.

+This test is designed to be run manually with real credentials.

+It is not intended to be part of the automated test suite.

+To run this test:

+1. Set the environment variables for your Backstage instance:

+ - BACKSTAGE_BASE_URL: REDACTED_BY_GREPTILE

+ - BACKSTAGE_CLIENT_ID: REDACTED_BY_GREPTILE

+ - BACKSTAGE_CLIENT_SECRET: REDACTED_BY_GREPTILE

+ - BACKSTAGE_TOKEN_ENDPOINT: REDACTED_BY_GREPTILE

+2. Run the script from the backend directory:

+ python tests/manual/test_backstage_connector_real.py

+"""

+import pytest

+import os

+import sys

+import logging

+from datetime import datetime, timedelta

+from typing import List

+# Add the parent directory to the path to allow importing onyx modules

+sys.path.insert(0, os.path.abspath(os.path.dirname(os.path.dirname(os.path.dirname(__file__)))))

+from onyx.connectors.backstage.connector import BackstageConnector

+from onyx.connectors.models import Document

+# Set up logging

+logging.basicConfig(

+ level=logging.INFO,

+ format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",

+logger = logging.getLogger(__name__)

+def check_environment_variables() -> bool:

+ """Check if all required environment variables are set."""

+ required_vars = [

+ "BACKSTAGE_BASE_URL",

+ "BACKSTAGE_CLIENT_ID",

+ "BACKSTAGE_CLIENT_SECRET",

+ "BACKSTAGE_TOKEN_ENDPOINT",

+ ]

+ missing_vars = [var for var in required_vars if var not in os.environ]

+ if missing_vars:

+ logger.error(f"Missing environment variables: {', '.join(missing_vars)}")

+ logger.error("Please set all required environment variables before running this test.")

+ return False

+ return True

+# def test_connector_init() -> BackstageConnector:

+# """Test initializing the connector."""

+# base_url = os.environ["BACKSTAGE_BASE_URL"]

+# logger.info(f"Initializing connector with base URL: {base_url}")

+# connector = BackstageConnector(

+# base_url=base_url,

+# entity_kinds=[

+# BACKSTAGE_ENTITY_KINDS.COMPONENT.value,

+# BACKSTAGE_ENTITY_KINDS.API.value,

+# BACKSTAGE_ENTITY_KINDS.SYSTEM.value,

+# # Add more entity kinds as needed

+# ],

+# batch_size=100,

+# )

+# return connector

+@pytest.fixture

+def backstage_connector(request: pytest.FixtureRequest) -> BackstageConnector:

+ scroll_before_scraping = request.param

+ base_url = "https://portal.services.as24.tech/"

+ connector = BackstageConnector(base_url)

+ return connector

+@pytest.mark.parametrize("backstage_connector", [True], indirect=True)

+def test_authentication(backstage_connector: BackstageConnector) -> bool:

+ """Test authentication against the real Backstage instance."""

+ logger.info("Testing authentication...")

+ try:

+ credentials = {

+ "backstage_client_id": 'REDACTED_BY_GREPTILE',

+ "backstage_client_secret": 'REDACTED_BY_GREPTILE',

+ "backstage_token_endpoint": REDACTED_BY_GREPTILE',

+ }

greptile

logic: Remove hardcoded credentials and use environment variables instead

suggested fix

credentials = {

+ "backstage_client_id": os.environ["BACKSTAGE_CLIENT_ID"],

+ "backstage_client_secret": os.environ["BACKSTAGE_CLIENT_SECRET"],

+ "backstage_token_endpoint": os.environ["BACKSTAGE_TOKEN_ENDPOINT"],

}

rivet-gg/rivet·#1850

diff block

}

+#[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]

+#[serde(rename_all = "snake_case", deny_unknown_fields)]

+pub struct Fdb {

+ pub connection: String,

+impl Default for Fdb {

+ fn default() -> Self {

+ Self {

+ connection: "REDACTED_BY_GREPTILE,

greptile

style: Default connection string uses hardcoded credentials (fdb:fdb). Consider making these configurable or documenting that these are development-only defaults.

What are hardcoded credentials?

How to remove hardcoded credentials from code

Hardcoded credentials

What are hardcoded credentials?

How to remove hardcoded credentials from code

Product

Company

Helpful Links

Hardcoded credentials

What are hardcoded credentials?

How to remove hardcoded credentials from code