Skip to content
unfault

go.hardcoded_secrets

Security Critical Common in Incidents

Detects hardcoded API keys, passwords, and other secrets in source code.

Why It Matters

Section titled “Why It Matters”

Hardcoded secrets are a severe security risk:

  • Version control exposure — Secrets committed to git are visible to everyone with access
  • Cannot rotate — Changing a secret requires code changes and deployment
  • Audit impossible — No way to track secret access
  • Breach amplification — One compromised repo exposes all services

Secrets in code get leaked through backups, logs, error messages, and repository access.

Example

Section titled “Example”
// ❌ Before
const (
    APIKey = "sk_live_abc123xyz"
    Password = "supersecret"
    DatabaseURL = "postgres://user:pass@host/db"
)


client := stripe.NewClient("sk_live_abc123xyz")
// ✅ After
import "os"


var (
    APIKey     = os.Getenv("STRIPE_API_KEY")
    Password   = os.Getenv("DB_PASSWORD")
    DatabaseURL = os.Getenv("DATABASE_URL")
)


client := stripe.NewClient(os.Getenv("STRIPE_API_KEY"))

What Unfault Detects

Section titled “What Unfault Detects”
  • Variables named password, secret, key, token, etc.
  • Strings matching API key patterns (AWS, Stripe, GitHub, etc.)
  • Database connection strings with credentials
  • JWT secrets and signing keys

Auto-Fix

Section titled “Auto-Fix”

Unfault can replace hardcoded values with os.Getenv() calls when the pattern is recognized.

Best Practices

Section titled “Best Practices”
// Use environment variables
apiKey := os.Getenv("API_KEY")
if apiKey == "" {
    log.Fatal("API_KEY environment variable required")
}


// Or use a secrets manager
import "github.com/aws/aws-sdk-go/service/secretsmanager"


secret, err := sm.GetSecretValue(&secretsmanager.GetSecretValueInput{
    SecretId: aws.String("my-secret"),
})


// Configuration libraries
import "github.com/spf13/viper"


viper.SetEnvPrefix("MYAPP")
viper.AutomaticEnv()
apiKey := viper.GetString("API_KEY")

Common Secret Patterns

Section titled “Common Secret Patterns”
PatternExample
AWS Access KeyAKIA...
AWS Secret Key40-char base64
Stripe Keysk_live_..., pk_live_...
GitHub Tokenghp_..., github_pat_...
JWT SecretLong random strings
Database URLpostgres://user:pass@...
Section titled “Related Rules”