Hardcoded Credentials Security Issue T152 #7
Description
Hardcoded Credentials Security Issue
Issue Overview
Risk Level: Critical (CVSS 9.8)
Problem: Database passwords, AWS credentials, and API keys hardcoded in source code
Affected Components
docker-compose.yml- MySQL root passwordsconfig.pyfiles - Database connection strings- Service configuration files - API keys and tokens
Keploy Testing Strategy
Test Configuration
# keploy-secrets-test.yml
version: api.keploy.io/v1beta1
kind: config
metadata:
name: secrets-detection-test
spec:
app:
name: "ecommerce-secrets-audit"
test:
path: "./keploy/secrets-tests"
secrets_scan: trueRecord and Test
# Record service startup and config loading
keploy record -c "docker-compose up" --secrets-mode
# Test endpoints that might expose config
curl http://localhost:8080/health
curl http://localhost:8081/config
curl http://localhost:8082/debugSecure Response Test
# keploy/tests/secure-config-test.yaml
version: api.keploy.io/v1beta1
kind: Http
metadata:
name: secure-config-test
spec:
req:
method: GET
url: http://localhost:8080/health
assertions:
- type: response_body
not_contains: "password"
message: "Health endpoint should not expose credentials"
- type: response_body
not_contains: "AKIA"
message: "AWS credentials should not be exposed"Vulnerability Examples
Vulnerable Code
# config.py - VULNERABLE
DATABASE_URL = "mysql://root:hardcoded_password@localhost:3306/orders"
AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"Secure Implementation
# config.py - SECURE
import os
DATABASE_URL = os.getenv('DATABASE_URL')
AWS_ACCESS_KEY = os.getenv('AWS_ACCESS_KEY')
AWS_SECRET_KEY = os.getenv('AWS_SECRET_KEY')Test Scenarios
Configuration Exposure Test
keploy record -c "python app.py"
curl http://localhost:8080/api/v1/config
curl http://localhost:8080/.envError Message Exposure
# Force database connection errors
docker-compose stop mysql_orders
curl http://localhost:8080/api/v1/ordersAutomated Scanning
CI/CD Integration
# .github/workflows/secrets-scan.yml
name: Secrets Detection
on: [push, pull_request]
jobs:
secrets-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install Keploy
run: |
curl -L https://github.com/keploy/keploy/releases/latest/download/keploy_linux_amd64.tar.gz | tar xz
sudo mv keploy /usr/local/bin
- name: Run Secrets Test
run: keploy test --secrets-scanRemediation
Environment Variables
# .env file (not committed)
DB_PASSWORD=secure_password
AWS_ACCESS_KEY=your_aws_key
AWS_SECRET_KEY=your_aws_secretSecure Docker Compose
# docker-compose.yml
version: '3.8'
services:
mysql_orders:
image: mysql:8.0
environment:
MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
env_file:
- .envApplication Config
# secure_config.py
import os
from dotenv import load_dotenv
load_dotenv()
class Config:
DB_PASSWORD = os.getenv('DB_PASSWORD')
AWS_ACCESS_KEY = os.getenv('AWS_ACCESS_KEY')
AWS_SECRET_KEY = os.getenv('AWS_SECRET_KEY')Validation
Test Secure Setup
export DB_PASSWORD="secure_password"
export AWS_ACCESS_KEY="AKIA_SECURE_KEY"
keploy test -c "python app.py" --env-validationExpected Results
test_results:
- name: "no-secrets-in-response"
status: "PASSED"
message: "No hardcoded secrets found"Monitoring
# keploy-monitoring.yml
monitoring:
secrets_detection:
enabled: true
patterns: ["password", "secret", "key", "AKIA[0-9A-Z]{16}"]
alerts:
webhook: "https://hooks.slack.com/webhook"
message: "🚨 Hardcoded secrets detected!"Best Practices
- Never commit secrets to version control
- Use environment variables for sensitive data
- Implement secrets rotation policies
- Use AWS Secrets Manager
- Regular automated scanning with Keploy
E-commerce Microservices Security Documentation