CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Hardcoded Credentials

security CWE-798 OWASP A2:2021 CVSS 9.8 Beginner
debt(d5/e7/b3/t7)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The term's detection_hints.tools list — trufflehog, gitleaks, github-secret-scanning, semgrep — are all specialist SAST/secret-scanning tools, not default linters or compiler errors. Automated detection is possible but requires deliberately running these tools against the full git history, not something that fires by default in most dev workflows.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). The quick_fix says to scan the entire git history and rotate every found credential immediately. Rotation is not a code change — it involves updating secrets in every environment, revoking and reissuing credentials with external providers, updating CI/CD pipelines, and purging or rewriting git history. This is inherently cross-cutting and touches infrastructure, deployment config, and source code simultaneously.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to contexts are web and cli, which is broad, but hardcoded credentials are typically concentrated in specific config files or constants. Once removed and replaced with environment variable injection, the burden doesn't spread widely across the codebase. However, the persistent risk of git history exposure means a localised-but-sticky tax remains.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap — contradicts how a similar concept works elsewhere' (t7). The misconception field states directly: 'Credentials in a private repository are safe.' Developers routinely believe access controls on the repo are sufficient protection, not realising that git history permanently preserves secrets even after removal, that private repos can be breached or accidentally made public, and that CI logs often echo secrets. This contradicts the intuitive mental model of 'private = safe.'

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-08 · reviewed by human

Also Known As

hardcoded password hardcoded secret embedded credentials

TL;DR

Secrets, passwords, or API keys embedded directly in source code can be extracted from repositories or compiled binaries.

Explanation

Hardcoded credentials are a persistent risk because developers commit secrets into version control — even if removed later, they remain in git history. Once a repository is leaked or made public, automated scanners harvest these credentials within minutes. Use environment variables or a secrets manager (HashiCorp Vault, AWS Secrets Manager) to inject credentials at runtime. Implement pre-commit hooks with tools like truffleHog or git-secrets to prevent accidental commits.

Common Misconception

Credentials in a private repository are safe. Private repos get breached or accidentally made public — and git history preserves secrets even after they are removed. Secrets should never enter version control.

Why It Matters

Credentials committed to source control are permanently exposed — git history cannot be effectively purged once pushed, and rotating them still doesn't remove the history.

Common Mistakes

  • Committing .env files or config files with real credentials to version control.
  • Defining credentials as PHP constants in source files that are tracked in git.
  • Using the same credentials in development and production, meaning a dev repo leak compromises production.
  • Not scanning CI pipelines and logs, which often echo environment variables containing secrets.

Code Examples

✗ Vulnerable 
$db = new PDO('mysql:host=localhost', 'root', 'SuperSecret123!');
✓ Fixed 
$db = new PDO('mysql:host=' . $_ENV['DB_HOST'], $_ENV['DB_USER'], $_ENV['DB_PASS']);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 36

Curated in Warsaw under one editorial standard. 1,445 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 1 ping M 0 pings T 1 ping W 1 ping T 0 pings F 1 ping S
Agents 1
No pings yesterday
Perplexity 10 Amazonbot 7 Ahrefs 4 Unknown AI 3 SEMrush 3 Google 2 ChatGPT 2 Majestic 1
Also referenced
Information Disclosure 56 Sensitive Data Exposure 32 API Key Exposure 27
How they use it
crawler 29 crawler_json 2 pre-tracking 1
Related categories
security 4.2k
DEV INTEL Tools & Severity
🔴 Critical ⚙ Fix effort: Low
⚡ Quick Fix
Run truffleHog or gitleaks on your entire git history now — if anything is found, rotate the credential immediately regardless of how old the commit is
📦 Applies To
any web cli
🔗 Prerequisites
🔍 Detection Hints
Passwords API keys tokens in PHP source; credentials in .env committed to git; connection strings with passwords in config files
Auto-detectable: ✓ Yes trufflehog gitleaks github-secret-scanning semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Medium ✗ Manual fix Fix: High Context: File
CWE-798 CWE-259
✓ schema.org compliant