criticalCWE-798

Hardcoded Secrets & API Keys: Detection & Auto-Fix

Hardcoded secrets — including API keys, database passwords, JWT signing keys, and private encryption keys — embedded directly in source code are one of the most common and dangerous security vulnerabilities. When code is pushed to a repository, these secrets become accessible to anyone with read access. Even in private repos, secrets in code history persist after deletion. In 2024, GitHub detected over 12 million secret exposures in public repositories.

Why AI tools generate this vulnerability

AI Risk Factor

AI assistants generate hardcoded secrets constantly because they are trained on code that includes example configurations, tutorials, and working demos — all of which embed credentials inline for simplicity. When prompted to "connect to a database" or "configure JWT authentication," AI tools produce code with placeholder values that look functional and are never replaced before deployment. Worse, AI tools sometimes generate realistic-looking API keys that developers assume are examples but accidentally ship to production.

Vulnerable code example

VULNERABLE
// Node.js — AI-generated vulnerable code
import jwt from "jsonwebtoken";

// VULNERABLE: JWT secret hardcoded in source
const JWT_SECRET = "super-secret-key-12345";

app.post("/api/login", async (req, res) => {
  const user = await authenticate(req.body);
  const token = jwt.sign(
    { userId: user.id },
    JWT_SECRET,
    { expiresIn: "7d" }
  );
  res.json({ token });
});

# Python — AI-generated vulnerable code
import psycopg2

# VULNERABLE: database credentials in source code
conn = psycopg2.connect(
    host="prod-db.example.com",
    database="myapp",
    user="admin",
    password="P@ssw0rd!2025"
)

Secure code example

SECURE
// Node.js — environment variables (secure)
import jwt from "jsonwebtoken";

// SECURE: secret loaded from environment variable
const JWT_SECRET = process.env.JWT_SECRET;
if (!JWT_SECRET) throw new Error("JWT_SECRET not set");

app.post("/api/login", async (req, res) => {
  const user = await authenticate(req.body);
  const token = jwt.sign(
    { userId: user.id },
    JWT_SECRET,
    { expiresIn: "7d" }
  );
  res.json({ token });
});

# Python — environment variables (secure)
import psycopg2
import os

# SECURE: credentials from environment / secret manager
conn = psycopg2.connect(
    host=os.environ["DB_HOST"],
    database=os.environ["DB_NAME"],
    user=os.environ["DB_USER"],
    password=os.environ["DB_PASSWORD"]
)

How CodeShield detects this

CodeShield uses multi-layer static analysis to detect hardcoded secrets & api keys vulnerabilities across your entire codebase:

High-entropy string detection in variable assignments (API keys, tokens, passwords)
Pattern matching for known secret formats (AWS, Stripe, GitHub, Google Cloud, Slack, Twilio)
Detection of hardcoded passwords in database connection strings and config objects
JWT signing keys and session secrets assigned to string literals
Private key material (PEM, PKCS8) embedded in source files

Affected languages

JavaScriptTypeScriptPythonJavaGoRubyPHPRust

Scan for hardcoded secrets & api keys in your repos

CodeShield detects hardcoded secrets & api keys and 5+ other vulnerability types across your entire codebase. Auto-fix with AI in one click.

Scan Your Repos Free