SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

S03 Secrets Written to Files

What this means

SiteShadow flagged sensitive values being written to disk (tokens, private keys, API keys, credentials). This includes "temporary" debug dumps, cached auth tokens, and generated config files.

Why it matters

Secrets on disk are easy to exfiltrate and hard to rotate safely.

Safer examples

1) Avoid writing secrets to disk

Keep secrets in memory and use environment/secret managers for injection.

2) If you must write, encrypt and restrict access

Encrypt at rest with keys from a secret manager/KMS; lock down permissions; set short retention.

3) Treat "debug dumps" as production data

Never dump secrets to logs or files; redact before writing (see SCP07 / CWE-532).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.