← All glossary terms
Non-Human Identities5 min read

What is Hardcoded Credential Risk?

Hardcoded credentials in code, configs, or infrastructure are one of the most common breach vectors. Learn the risks and how to eliminate them.

What is Hardcoded Credential Risk?

Definition

Hardcoded credential risk is the exposure created when credentials (passwords, API keys, OAuth secrets, service account keys, encryption keys) are embedded directly in source code, configuration files, container images, scripts, or other artifacts.

Hardcoded credentials are easily leaked — committed to repos, included in container images, dumped from memory, exposed via misconfigured backups — and routinely abused by attackers.

In simple terms:

Hardcoded credentials are time bombs — they will leak; the only question is when.


Why It Matters

  • Top 10 in OWASP, CWE, and most security frameworks.
  • Major breach pattern (Cloudflare, Toyota, multiple GitHub leaks).
  • GitHub secret scanning detects millions of leaks per year.
  • Once committed, secret remains in Git history forever (until rewritten).
  • Recovery is expensive (rotation, audit, IR).

Why Hardcoding Persists

1. Developer Convenience

  • "Just for testing" — never removed.
  • No friction; works immediately.

2. Lack of Awareness

  • Developers don't know secret managers exist or how to use them.

3. Local Development Workflow

  • Easy to copy/paste; hard to integrate with vault.

4. Poor Tooling

  • No IDE integration with secrets vault.

5. Legacy Patterns

  • Old codebases predate secrets management.

6. Configuration Files

  • Secrets in .env, appsettings.json, config.yaml — committed inadvertently.

7. Container Images

  • Secrets baked into image during build.

8. CI/CD Misuse

  • Secrets embedded in pipeline scripts vs CI secret store.

Where Hardcoded Credentials Appear

  • Source code — strings in .py, .js, .cs, .go, etc.
  • Config files.env, config.json, application.properties.
  • Helm charts — values files.
  • Terraform / Pulumi — variable files.
  • DockerfilesENV directives.
  • Container images — baked layers.
  • CI/CD scripts — embedded vs vault references.
  • Frontend code — exposed in browser.
  • Mobile app binaries — extractable via APK / IPA inspection.
  • Backup files — copies preserve secrets.
  • Logs / traces — emitted accidentally.
  • Documentation — example credentials become real.
  • Comments — "password is X" in code.

Common Risks

1. Public Repo Leak

  • Public commit; scanners (GitHub, GitGuardian) and adversaries find it within minutes.

2. Internal Repo Leak

  • Insider / compromised dev finds it.

3. Image Layer Inspection

  • docker history reveals build-time secrets.

4. Memory Dump

  • Secrets in memory recoverable from crash dump or attacker post-exploitation.

5. Mobile App Reverse Engineering

  • Strings extracted from APK / IPA.

6. Supply-Chain Spread

  • Forks, dependencies, derivative projects propagate the secret.

7. Long Persistence

  • Even after removal, in Git history; needs git filter-repo to truly erase.

8. Compliance Violation

  • PCI, SOC 2, ISO require no hardcoded secrets.

Real-World Examples

1. AWS Keys in GitHub

Developer committed AWS access keys; bot scanned within 30 seconds; spun up crypto mining; $50K bill. Mitigation: AWS scoped keys + secret scanning + push protection + budget alerts.

2. OpenAI Key in Public Project

Public side project committed OpenAI key; ran up $30K. Mitigation: vendor secret scanning + push protection.

3. Container Image Secret

Production secrets baked into container image (in Dockerfile ENV). Image pushed to public registry; secrets exposed. Mitigation: build-time secret injection (BuildKit secrets); never ENV for secrets.

4. Mobile App Stripe Secret Key

Backend Stripe secret key bundled in mobile app. Found via APK reverse engineering; abused. Mitigation: client uses publishable key only; backend uses secret key.

5. .env Committed

Engineer accidentally committed .env with prod DB password. Caught by secret scanning before merge. Push protection blocked the push entirely.


How to Eliminate

1. Detect

  • GitHub / GitLab secret scanning.
  • GitGuardian / Trufflehog / Gitleaks scans.
  • Pre-commit hooks.
  • IDE plugins.

2. Block

  • Push protection (block commits with detected secrets).
  • CI gate (block PRs with secrets).

3. Replace with Secret Manager

  • Code reads secret from vault at runtime (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager).
  • .env references vault, not embed.

4. Federation

  • Replace static secrets entirely with workload identity federation / managed identity.

5. Build-Time Injection

  • For container builds: BuildKit secrets, sealed secrets, never ENV.

6. Mobile Best Practices

  • Never embed backend secrets.
  • Use OAuth / signed requests.
  • Backend proxies sensitive operations.

7. Cleanup

  • Rotate any leaked secrets.
  • Rewrite Git history if appropriate (carefully — coordination required).
  • Audit usage of leaked secrets.

8. Education

  • Developer training on secrets management.
  • Examples / templates of correct patterns.
  • Make the right path easier than the wrong path.

Best Practices

  1. Secret scanning everywhere — code, CI, registries, infra repos.
  2. Push protection to block at commit time.
  3. Secret manager as the only acceptable storage.
  4. Code references, never embeds.
  5. Federation / managed identity to eliminate secrets.
  6. Container build secrets properly handled (BuildKit, etc.).
  7. Mobile no secrets.
  8. Rotation as defense in depth.
  9. Education + paved paths.
  10. Incident response for leaks (rotate within minutes).

Checklist

  • Secret scanning on all repos?
  • Push protection enabled?
  • CI gates for secrets?
  • Secret manager mandated?
  • Federation / managed identity in use?
  • Container builds use proper secret injection?
  • Mobile apps free of backend secrets?
  • Rotation policies in place?
  • Developer training delivered?
  • Leak response playbook?
  • Git history clean for any past leaks (where feasible)?

How Forestall Helps

Forestall correlates discovered hardcoded secrets with NHI inventory, prioritizes remediation by NHI risk, and tracks rotation post-leak.


Frequently Asked Questions

Why are hardcoded secrets still common in 2026?

Developer convenience, legacy patterns, weak guardrails. Eliminating requires tooling + culture.

Can I encrypt hardcoded secrets?

The decryption key has to live somewhere — that's then your real secret. Better to use a secret manager.

What about .env files?

Acceptable for local dev only; never commit; in production use a vault. Better still: federation.

Do all repos need secret scanning?

Yes — public, private, internal. All can leak.

How fast must I rotate after a leak?

Minutes for high-value secrets (production, money-moving, customer data). Hours for medium. Even non-prod leaks should rotate within a day.


Conclusion

Hardcoded credentials are a leading cause of breaches and a fully solvable problem. Detect with secret scanning, block at commit time with push protection, replace with secret managers and federation, automate rotation, educate developers, and respond fast to leaks. With these in place, the era of "we got breached because of a leaked key in GitHub" can end for your organization.

Hardcoded CredentialsSecrets in CodeSecret SprawlNon-Human IdentityIdentity Security

Find and eliminate hardcoded credentials in your environment.

Forestall finds hardcoded secrets across code, configs, and infrastructure.

We respect your privacy

We use cookies to keep this site secure and working properly. With your permission, we also use optional cookies to understand usage and improve the experience. Cookie Policy

You can change your choice at any time.

What is Hardcoded Credential Risk? | Forestall