Use of Hard-coded Credentials
API keys, passwords, tokens, or private keys are committed directly into source code where anyone with repo access (or git history) can read them.
GateTest coverage
Caught by: secrets, secretRotation
Example
const STRIPE_KEY = 'sk_live_51A2B...'; — committed to git, leaked the moment the repo is public or a contractor leaves.
How to fix it
Use environment variables. For local dev, .env files (gitignored). For prod, a vault (1Password Connect, Vault, AWS Secrets Manager). Rotate any key that was ever committed. secrets and secretRotation catch both fresh leaks and stale credentials.
Scan your repo for CWE-798
Free preview of findings. Pay per scan — no subscription. AI auto-fix PR included on the Scan + Fix tier.
Frequently asked questions
What is CWE-798 (Use of Hard-coded Credentials)?
API keys, passwords, tokens, or private keys are committed directly into source code where anyone with repo access (or git history) can read them.
How do I fix use of hard-coded credentials?
Use environment variables. For local dev, .env files (gitignored). For prod, a vault (1Password Connect, Vault, AWS Secrets Manager). Rotate any key that was ever committed. secrets and secretRotation catch both fresh leaks and stale credentials.
Does GateTest detect use of hard-coded credentials?
Yes — GateTest's secrets, secretRotation modules catch this class. Findings appear in the standard scan output with file and line numbers. On Scan + Fix and Forensic Scan tiers, Claude opens a pull request with the fix.
What rank is Use of Hard-coded Credentials in the CWE Top 25?
Use of Hard-coded Credentials is ranked #18 in the MITRE 2023 CWE Top 25 Most Dangerous Software Weaknesses list. The ranking reflects both prevalence (how often it appears in real CVEs) and severity (the typical impact when it's exploited).