What tools do you use (or suggest use) to identify hard-coded credentials in a code or repo?

Thank you!

  • 2
    my eyes. and a whip made of barbed wire for everyone who hard-codes anything.
  • 1
    We use Snyk at work. Seems to catch all sorts of issues including hard-coded creds, CVEs, etc.

    For my personal/open source stuff, maybe some basic scanning by github actions or just manual perusal of pull requests.
  • 0
    Snyk and SonarQube
  • 0
    Any decent SAST tool can do that, hard coded passwords are one of the simplest source code vulnerability.
    Sonarqube, Fortify SAST, Sync, Checkmarx are popular
Add Comment