Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

The application’s JWT secret key is hard-coded directly in the source code. Storing secrets this way makes them easy to accidentally expose if the code is leaked, shared, or uploaded to public repositories.

Impact

If an attacker obtains the hard-coded secret, they can forge or tamper with JWT tokens, potentially impersonating users or escalating privileges within your app. This can lead to unauthorized access, data breaches, and compromised application security.

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	High
Impact Level	High
Likelihood Level	High

Description

The session secret for express-session is hard-coded directly in the source code. Storing secrets this way exposes them to anyone with code access and risks accidental leaks via version control.

Impact

If an attacker discovers the hard-coded session secret, they could forge valid session cookies, impersonate users, and potentially gain unauthorized access to sensitive areas of the application. This compromises user accounts and overall application security.

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code uses a hardcoded HMAC key, meaning the secret key is written directly in the source code. This makes the key easy to discover for anyone with access to the codebase, exposing sensitive operations to risk.

Impact

If an attacker accesses the source code, they can easily obtain the HMAC key, allowing them to forge or tamper with authentication tokens or sensitive data. This undermines the integrity of cryptographic protections and can lead to unauthorized access or data breaches.

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The function sets a hardcoded password as a default argument, which means anyone calling the function without specifying a password will use this insecure default. This exposes sensitive credentials directly in the source code.

Impact

Attackers who access the codebase or decompile the application can easily retrieve the hardcoded password, potentially gaining unauthorized access to systems or data. This weakens authentication controls and could lead to data breaches or compromise of user accounts.

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

Sensitive credentials, such as AWS access keys or tokens, are stored directly in the source code. This exposes secrets to anyone with code access, making them easy to leak through version control or code sharing.

Impact

If attackers obtain these hard-coded credentials, they can gain unauthorized access to cloud resources, potentially leading to data breaches, service disruption, or financial loss. Even internal leaks can result in privilege escalation or compromise of critical systems.

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

A hardcoded password is used for HTTP basic authentication in a controller, meaning the credential is directly written in the source code. This makes it easy for anyone with code access—including those outside your team—to see and misuse the password.

Impact

If the code is shared or pushed to version control, attackers could find and use the hardcoded password to gain unauthorized access to protected parts of your application, leading to data breaches or further compromise of the system.

Property
Language
Severity
CWE	CWE-798: Use of Hard-coded Credentials
OWASP	A07:2021 - Identification and Authentication Failures
Confidence Level	High
Impact Level	Medium
Likelihood Level	Medium

Description

The code uses a hardcoded passphrase for RSA private key encryption, storing sensitive secrets directly in the source code. This makes it easy for anyone with code access to discover and misuse the passphrase.

Impact

If an attacker obtains the passphrase from the codebase, they can decrypt private keys, impersonate users, or access protected resources. This can lead to data breaches, unauthorized access, and compromise of sensitive systems.

Property
Language	apex
Severity
CWE	CWE-321: Use of Hard-coded Cryptographic Key
OWASP	A02:2021 - Cryptographic Failures
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

The rule makes sure you are using randomly generated IVs and keys for Crypto calls. Hard-coding these values greatly compromises the security of encrypted data.

Property
Language	regex
Severity
CWE	CWE-321: Use of Hard-coded Cryptographic Key
OWASP	A02:2021 - Cryptographic Failures
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

A JWT (JSON Web Token) appears to be directly included in the codebase. Hardcoding tokens exposes sensitive authentication data, making it accessible to anyone with access to the code.

Impact

If attackers gain access to hardcoded JWTs, they may be able to impersonate users, access protected resources, or escalate privileges within your application. This can lead to unauthorized data exposure, account compromise, and broader security breaches.