CWE-798 Hard-coded Credentials
What this means
SiteShadow flagged credentials embedded directly in source code or committed configuration (API keys, tokens, passwords, private keys, "default admin" credentials).
Why it matters
Hard-coded credentials are easy to extract and abuse.
- Repo exposure is permanent-ish: even if removed, secrets often remain in history and forks.
- Sharing spreads: credentials leak via CI logs, screenshots, chat, and vendor tooling.
- Compromise is fast: many leaked keys are exploited within minutes.
Safer examples
1) Load secrets from environment / secret manager
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error("Missing API_KEY");2) Use short-lived credentials where possible
Prefer scoped, short-lived tokens over long-lived static keys.
3) If a secret was committed: rotate, then remove
Rotation/revocation is the "real fix." Deleting the line is not enough.
How SiteShadow detects it (high level)
- Matches known credential formats and high-risk key names (
api_key,secret,password,token). - Uses heuristics to distinguish real-looking secrets from placeholders/examples.
References
- CWE-798: https://cwe.mitre.org/data/definitions/798.html
---