Secrets Detection in Code: Finding Hardcoded API Keys Passwords and Tokens

Hardcoded secrets are sensitive credentials embedded directly in source code, configuration files, or environment files that get committed to version control. These include API keys, database connection strings, private keys, OAuth tokens, webhook secrets, and cloud provider credentials.

Once a secret is committed to a Git repository, it exists in the commit history permanently—even if removed in a subsequent commit. If the repository is public, or if an attacker gains access to the codebase, every hardcoded credential is immediately compromised. Secrets in Git history require a full history rewrite (git filter-branch or BFG Repo Cleaner) to remove.

Common examples of hardcoded secrets include:

• AWS access keys and secret keys (AKIA...)
• Stripe API keys (sk_live_..., rk_live_...)
• GitHub personal access tokens (ghp_..., gho_...)
• Database connection strings with embedded passwords
• RSA/ECDSA private keys in PEM format
• GCP service account JSON key files

Despite widespread awareness, secrets continue to appear in codebases for predictable reasons:

Development Shortcuts

Developers hardcode credentials during local development for convenience—a quick API key in a config file to test an integration. The intention is always to replace it with an environment variable later, but the hardcoded value gets committed before the cleanup happens.

Copy-Paste from Documentation

Cloud provider documentation and tutorials often show inline credentials as examples. Developers copy these patterns and substitute real keys without switching to environment variable references.

Environment File Mistakes

.env files are meant to hold secrets locally, but forgetting to add .env to .gitignore—or committing .env.example with real values—exposes credentials. This is one of the most common secret leak vectors.

Configuration Files and Infrastructure as Code

Terraform files, Docker Compose configs, Kubernetes manifests, and CI/CD pipeline definitions frequently contain hardcoded database passwords, registry credentials, or cloud tokens. These files are treated as "code" and committed alongside application source, but they often receive less security scrutiny.

Leaked secrets lead to immediate, measurable damage:

• Uber (2016): Hardcoded AWS credentials in a GitHub repository led to the exposure of 57 million user records. Uber paid $148 million in settlement costs.
• Samsung (2019): Developers committed credentials to public GitLab repositories, exposing internal infrastructure including AWS accounts and source code.
• AWS key exploitation: Automated bots scan GitHub for newly committed AWS keys. Researchers have demonstrated that a committed AWS key is discovered and exploited within minutes, often used to spin up cryptocurrency mining instances that generate thousands of dollars in charges.

Beyond direct financial impact, leaked credentials require emergency rotation of every exposed key, forensic investigation to determine the blast radius, and potential regulatory notification if customer data was accessible through the compromised credentials.

CodeSlick scans source code for hardcoded secrets using 38 specialized detection patterns covering the most commonly leaked credential types:

• Cloud providers: AWS access keys, AWS secret keys, GCP API keys, GCP service account tokens, Azure connection strings
• Payment processors: Stripe secret keys, Stripe restricted keys, Stripe webhook secrets
• Version control: GitHub personal access tokens, GitHub OAuth tokens, GitLab tokens
• Cryptographic material: RSA private keys, ECDSA private keys, PGP private key blocks
• Databases: Connection strings with embedded passwords for PostgreSQL, MySQL, MongoDB, and Redis
• Communication: Slack tokens, Twilio API keys, SendGrid API keys

All secret findings are rated High severity. CodeSlick runs these checks in under 3 seconds on every pull request, pre-commit hook, or web scan, catching leaked credentials before they reach your repository.