OeditusCredo.Check.Security.HardcodedCredentials
(OeditusCredo v0.6.3)
View Source
Basics
This check is disabled by default.
Learn how to enable it via .credo.exs.
This check has a base priority of high and works with any version of Elixir.
Explanation
Detects hardcoded credentials and sensitive endpoints (CWE-798).
Hardcoded secrets in source code are vulnerable to leaks and accidental exposure through repositories, logs, and error reports.
This check extends previous hardcoded value detection by adding explicit credential-name-based checks (password, secret, token, api_key, etc.).
Bad:
@api_key "sk_live_..."
password = "super-secret"
token = "abc123"Better:
api_key = System.fetch_env!("API_KEY")
password = Application.fetch_env!(:my_app, :password)Check-Specific Parameters
Use the following parameters to configure this check:
:exclude_test_files
Set to true to skip test files (default: false)
This parameter defaults to nil.
:extra_credential_terms
Additional credential name substrings to flag (default: [])
This parameter defaults to nil.
General Parameters
Like with all checks, general params can be applied.
Parameters can be configured via the .credo.exs config file.