Secrets detected in source code SCT-1000
Secrets should never be checked into source code. Ideally, they should be injected into the runtime and then the values should be picked from there.
Hardcoded Adafruit API key in source code SCT-1011
Leaking an Adafruit API key in source code can cause severe security issues as it can give unauthorized access to Adafruit IO resources, which can result in a data breach and financial loss due to unauthorized utilization of Adafruit IO resources.
If an API key has been leaked, it is recommended to regenerate it to mitigate the vulnerability.
Hardcoded Alibaba credentials in source code SCT-1036
Hardcoding Alibaba credentials such as access key IDs and secret keys in source code can lead to unauthorized access of Alibaba Cloud resources. This can result in critical security breaches and financial losses. It is recommended to use environment variables to store such credentials instead of hardcoding them in the source code. This ensures that the credentials are kept separate from the codebase and can be updated without modifying the source code.
Hardcoded Asana credentials in source code SCT-1037
Hardcoding Asana credentials in the source code can expose them to potential attackers and can lead to unauthorized access to Asana resources. This can cause security breaches and lead to financial loss and damage to the reputation of the organization.
If Asana credentials have been leaked, it is recommended to revoke them immediately. Additionally, the impacted users should be notified to take necessary actions to secure their accounts.
Hardcoded Clojars API token in source code SCT-1040
A hardcoded Clojars API token can allow an attacker to publish malicious packages to the repository. If the API token has been leaked, it is recommended to reset the token from the Clojars dashboard.
Hardcoded Databricks API token in source code SCT-1045
Using a hardcoded Databricks API token in source code can lead to severe security issues as it can provide unauthorized access to Databricks resources, which can lead to a data breach and financial loss due to unauthorized utilization of Databricks resources. Leakage of the API token can also lead to unauthorized access to other resources that are connected to Databricks. If an API token has been leaked, you should revoke it immediately.
Hardcoded Dropbox credentials in source code SCT-1058
Leaking Dropbox credentials in source code can lead to unauthorized access to Dropbox resources, exposing sensitive data and potentially leading to data breaches and financial loss.
Hardcoded AWS access token in source code SCT-1002
Leaking an AWS access token in source code can cause severe security issues as it can give unauthorized access to AWS resources, which can result in a data breach and financial loss due to unauthorized utilisation of AWS resources.
If an access token has been leaked, you can rotate your access tokens to mitigate the vulnerability.
Hardcoded Google Cloud Platform API key in source code SCT-1003
Leaking a Google Cloud Platform (GCP) API key in the source code can lead to unauthorized access to GCP services, which can result in financial loss and data breaches. Attackers can use this key to perform various malicious activities, such as accessing sensitive data, modifying cloud resources, and running unauthorized applications.
If an API key has been leaked, you can rotate your API keys to mitigate the vulnerability.
Hardcoded Stripe access token in source code SCT-1005
Leaking a Stripe access token in source code can cause severe security issues as it can give unauthorized access to payment processing and customer data, which can result in financial loss due to fraudulent activities and a breach of customer privacy.
If an access token has been leaked, you can rotate it in the Stripe dashboard.
Hardcoded Slack access token in source code SCT-1006
Leaking a Slack access token in source code can cause severe security issues as it can give unauthorized access to Slack resources, which can result in a data breach and loss of sensitive information. If an access token has been leaked, you can rotate your access tokens to mitigate the vulnerability.
Hardcoded GitHub token in source code SCT-1008
GitHub allows generating many types of tokens, like app tokens, OAuth tokens, Personal Access Tokens (PATs), fine-grained PATs, and refresh tokens. Leaking a GitHub token in source code can cause severe security issues as it can give unauthorized access to GitHub resources, which can result in a data breach and financial loss due to unauthorized utilization of GitHub resources.
Hardcoded GitLab token in source code SCT-1009
GitLab allows generating multiple kinds of tokens like Personal Access Tokens (PATs), Pipeline Trigger Tokens (PTTs), and Runner Registration Tokens (RRTs). Leaking a GitLab token in source code can cause severe security issues as it can give unauthorized access to GitLab resources, which can result in a data breach and financial loss due to unauthorized utilization of GitLab resources. If a token has been leaked, you can revoke the token to mitigate the vulnerability.
Hardcoded Atlassian API token in source code SCT-1010
Leaking an Atlassian API token in source code can cause severe security issues as it can give unauthorized access to Atlassian resources, which can result in a data breach and financial loss due to unauthorized utilization of Atlassian resources. If an API token has been leaked, you can revoke your API token to mitigate the vulnerability.
Hardcoded Adobe client ID/secret in source code SCT-1012
Leaking the Adobe client ID and secret in source code can cause severe security issues as it can give unauthorized access to Adobe resources, which can result in a data breach and financial loss due to unauthorized utilization of Adobe resources. If a client ID/secret has been leaked, you can invalidate the client ID/secret pair to mitigate the vulnerability.
Hardcoded OpenAI API key in source code SCT-1013
Leaking an OpenAI API key in source code can cause severe security issues due to unauthorized access and usage of OpenAI resources. It can also lead to service abuse and exposure of sensitive data. If an API key has been leaked, you can revoke it through your OpenAI account settings to mitigate the vulnerability.
Hardcoded Datadog access token in source code SCT-1014
Leaking a Datadog access token in source code can lead to security risks such as unauthorized access to monitoring data, which can result in data breaches and financial loss. If an access token has been leaked, it is recommended to revoke your access tokens to mitigate the vulnerability.
Hardcoded DigitalOcean token in source code SCT-1015
Leaking a DigitalOcean token in source code can cause severe security issues as it can give unauthorized access to DigitalOcean resources and result in a data breach or financial loss. DigitalOcean provides three kinds of tokens - Personal Access Token (PAT), access token, and refresh token. If a token has been leaked, it can be revoked through your DigitalOcean account settings.
Hardcoded Fastly API token in source code SCT-1016
Leaking a Fastly API token in source code can cause severe security issues as it can give unauthorized access to Fastly services, which can result in a data breach and financial loss due to unauthorized utilisation of Fastly resources.
If an API token has been leaked, you can delete the token to mitigate the vulnerability.
Hardcoded Linear API key/client secret in source code SCT-1018
Leaking a Linear API key or client secret in source code can cause severe security issues as it can give unauthorized access to Linear resources, which can result in exposure of sensitive data and intellectual property. Attackers can impersonate legitimate users, access sensitive data, and manipulate the data in the Linear organization. If a key or secret has been leaked, it is recommended to revoke the key/secret and regenerate a new one. Leaked tokens can also be revoked through the Linear API.