Skip to content

Sensitive Data: Hardcoded Secret in JavaScript Bundle

Identifier: js_hardcoded_secret

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner ASM Scanner

Description

Hardcoded secrets in JavaScript bundles expose API keys, tokens, and credentials to anyone who can access the bundle.

How we test: We statically analyze first-party JavaScript bundles to detect hardcoded API keys, authentication tokens, private keys, and other secrets using pattern matching and entropy analysis.

References:

Configuration

Example

Example configuration:

---
security_tests:
  js_hardcoded_secret:
    issues_count_limit: 20
    skip: false

Reference

issues_count_limit

Type : integer

The maximum number of issues to report. Use 0 to report all issues.

skip

Type : boolean

Skip the test if true.