S01 Secret Exposure

What this means

SiteShadow flagged something that looks like a real credential (API key, token, password, private key) in source code, configuration, or logs.

Why it matters

• Fast compromise: leaked tokens are often immediately usable.
• Hard to contain: secrets spread into git history, build logs, crash reports, and chat.
• Blast radius: a single leaked secret can unlock production data, billing, or admin access.

Safer examples

1) Don't hardcode secrets — load them from the environment

import os

API_KEY = os.environ["API_KEY"]

const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error("Missing API_KEY");

2) Don't log secrets — redact before logging

def redact(s: str) -> str:
    return s[:4] + "…" if s else ""

logger.info("Using API key prefix=%s", redact(os.environ.get("API_KEY")))

3) If a secret leaked, rotate it (don't "just delete the line")

• Rotate/revoke the credential at the provider.
• Remove it from history if it was committed (and assume it's compromised anyway).
• Replace with a secret manager or environment injection.

How SiteShadow detects it (high level)

• Known credential formats (e.g., common token prefixes, private key headers).
• Assignment patterns (e.g., api_key=..., token=...) with "real-looking" values.
• Safety filters to reduce noise (ignores obvious placeholders/tests where possible).

References

• CWE-798: https://cwe.mitre.org/data/definitions/798.html

---

← Back to Vulnerability Library