diff --git a/rules/S6418/secrets/metadata.json b/rules/S6418/secrets/metadata.json new file mode 100644 index 00000000000..28f452b81da --- /dev/null +++ b/rules/S6418/secrets/metadata.json @@ -0,0 +1,11 @@ +{ + "title": "Secrets should not be hard-coded", + "type": "VULNERABILITY", + "quickfix": "infeasible", + "code": { + "impacts": { + "SECURITY": "LOW" + }, + "attribute": "TRUSTWORTHY" + } +} diff --git a/rules/S6418/secrets/rule.adoc b/rules/S6418/secrets/rule.adoc new file mode 100644 index 00000000000..e635605dd73 --- /dev/null +++ b/rules/S6418/secrets/rule.adoc @@ -0,0 +1,54 @@ +include::../../../shared_content/secrets/description.adoc[] + +This rule detects secrets like api keys being hard-coded in the source code. + +== Why is this an issue? + +include::../../../shared_content/secrets/rationale.adoc[] + +=== What is the potential impact? + +Below are some real-world scenarios that illustrate some impacts of an attacker +exploiting the secret. + +include::../../../shared_content/secrets/impact/security_downgrade.adoc[] + +include::../../../shared_content/secrets/impact/data_compromise.adoc[] + +include::../../../shared_content/secrets/impact/financial_loss.adoc[] + +== How to fix it + +include::../../../shared_content/secrets/fix/revoke.adoc[] + +include::../../../shared_content/secrets/fix/vault.adoc[] + +=== Code Examples + +==== Noncompliant Code Example + +[source,properties,diff-id=1,diff-type=noncompliant] +---- +api_key=iN1KtmV2xIgdtOs1la7ugo1Pt7gLDjykprJsTELMuULRJQrlBoftwZn92Redve5k // Noncompliant +---- + +==== Compliant Solution + +Use placeholders that will be replaced by the actual secret by the build system or framework, environment variables or a secrets management service in order to not hard-code secrets in the source code. + +[source,properties,diff-id=1,diff-type=compliant] +---- +api_key=${MY_API_KEY} +---- + +== Resources + +=== Related rules + +* S2068 - Credentials should not be hard-coded + +=== Standards + +* OWASP - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/[Top 10 2021 Category A7 - Identification and Authentication Failures] +* OWASP - https://owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication[Top 10 2017 Category A2 - Broken Authentication] +* CWE - https://cwe.mitre.org/data/definitions/798[CWE-798 - Use of Hard-coded Credentials]