@sun-asterisk/sunlint/rules/security/S012_hardcoded_secrets/config.json

☀️ SunLint - Multi-language static analysis tool for code quality and security | Sun* Engineering Standards

{
  "ruleId": "S012",
  "name": "Hardcoded Secrets Protection",
  "description": "Detects hardcoded secrets, API keys, passwords, tokens, and credentials in source code to prevent accidental exposure through version control",
  "category": "security",
  "severity": "error",
  "languages": ["All languages"],
  "tags": [
    "security",
    "owasp",
    "secrets",
    "credentials",
    "cryptographic-failures",
    "hardcoded-secrets",
    "api-keys",
    "passwords",
    "tokens"
  ],
  "enabled": true,
  "fixable": false,
  "engine": "heuristic",
  "metadata": {
    "owaspCategory": "A02:2021 - Cryptographic Failures",
    "cweId": "CWE-798",
    "cweDescription": "Use of Hard-coded Credentials",
    "description": "Hardcoding secrets in source code is a critical security vulnerability. Secrets can be exposed through version control history, code sharing, or unauthorized access. This rule detects various patterns of hardcoded credentials including API keys, passwords, tokens, private keys, and connection strings.",
    "impact": "Critical - Credential exposure, unauthorized access, data breaches, compliance violations (SOC2, ISO27001, PCI-DSS)",
    "likelihood": "High",
    "remediation": "Use environment variables (process.env), secret management systems (AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, GCP Secret Manager), or configuration management tools. Never commit secrets to version control. Use .gitignore for .env files. Consider using git-secrets or similar tools to prevent accidental commits.",
    "examples": {
      "bad": [
        "const API_KEY = 'AIzaSyD-1234567890abcdef';",
        "const password = 'MySecretPassword123!';",
        "const connectionString = 'mongodb://admin:password@localhost:27017';",
        "const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...';",
        "const awsKey = 'AKIAIOSFODNN7EXAMPLE';"
      ],
      "good": [
        "const API_KEY = process.env.API_KEY;",
        "const password = config.get('database.password');",
        "const connectionString = process.env.MONGODB_URI;",
        "const token = await secretsManager.getSecret('jwt-secret');",
        "const awsKey = process.env.AWS_ACCESS_KEY_ID;"
      ]
    },
    "references": [
      "https://owasp.org/Top10/A02_2021-Cryptographic_Failures/",
      "https://cwe.mitre.org/data/definitions/798.html",
      "https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html"
    ],
    "frameworks": [
      "Node.js",
      "Express",
      "NestJS",
      "Next.js",
      "React",
      "Vue",
      "Angular"
    ],
    "secretTypes": [
      "API Keys",
      "Passwords",
      "Access Tokens",
      "Private Keys",
      "JWT Secrets",
      "Database Credentials",
      "OAuth Secrets",
      "AWS Keys",
      "GitHub Tokens",
      "Slack Tokens"
    ],
    "detectionPatterns": 50,
    "testCases": 30
  }
}