SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

CREDS01 Hard-coded Credentials in Config Files

What this means

SiteShadow found a credential stored directly in a config-like location (examples: .env, config.py, settings.yml, CI variables committed to repo, or "defaults" files).

Why it matters

Safer examples

1) Use environment variables (and keep .env out of git)

# .env (local only, DO NOT COMMIT)
DATABASE_URL=postgres://...
import os

DATABASE_URL = os.environ["DATABASE_URL"]

2) Use a secret manager for production

3) Separate config from secrets

Keep safe defaults in source, inject secrets at deploy time:

# config.yml (safe to commit)
service:
  logLevel: info

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.