1.7 KiB
1.7 KiB
description, alwaysApply
| description | alwaysApply |
|---|---|
| No Hardcoded Credentials | true |
rule_id: codeguard-1-hardcoded-credentials
No Hardcoded Credentials
NEVER store secrets, passwords, API keys, tokens or any other credentials directly in source code.
Treat your codebase as public and untrusted. Any credential that appears in source code is compromised and must be handled through secure alternatives.
NEVER hardcode these types of values:
Passwords and Authentication:
- Database passwords, user passwords, admin passwords
- API keys, secret keys, access tokens, refresh tokens
- Private keys, certificates, signing keys
- Connection strings containing credentials
- OAuth client secrets, webhook secrets
- Any other credentials that could be used to access external services
Recognition Patterns - Learn to Spot These Formats
Common Secret Formats You Must NEVER Hardcode:
- AWS Keys: Start with
AKIA,AGPA,AIDA,AROA,AIPA,ANPA,ANVA,ASIA - Stripe Keys: Start with
sk_live_,pk_live_,sk_test_,pk_test_ - Google API: Start with
AIzafollowed by 35 characters - GitHub Tokens: Start with
ghp_,gho_,ghu_,ghs_,ghr_ - JWT Tokens: Three base64 sections separated by dots, starts with
eyJ - Private Key Blocks: Any text between
-----BEGINand-----END PRIVATE KEY----- - Connection Strings: URLs with credentials like
mongodb://user:pass@host
Warning Signs in Your Code:
- Variable names containing:
password,secret,key,token,auth - Long random-looking strings that are not clear what they are
- Base64 encoded strings near authentication code
- Any string that grants access to external services
You must always explain how this rule was applied and why it was applied.