S03 Secrets Written to Files
What this means
SiteShadow flagged sensitive values being written to disk (tokens, private keys, API keys, credentials). This includes "temporary" debug dumps, cached auth tokens, and generated config files.
Why it matters
Secrets on disk are easy to exfiltrate and hard to rotate safely.
- Easy theft: attackers who gain filesystem access (or read backups/log bundles) can grab plaintext.
- Long-lived exposure: "temporary" files often persist, get committed, or get shipped in artifacts.
- Incident amplification: a single leaked secret can unlock production systems (see
S01).
Safer examples
1) Avoid writing secrets to disk
Keep secrets in memory and use environment/secret managers for injection.
2) If you must write, encrypt and restrict access
Encrypt at rest with keys from a secret manager/KMS; lock down permissions; set short retention.
3) Treat "debug dumps" as production data
Never dump secrets to logs or files; redact before writing (see SCP07 / CWE-532).
How SiteShadow detects it (high level)
- Detects file writes that include token/credential-like values.
- Flags secret-like strings persisted to files in app/config/temp paths.
References
- CWE-922: https://cwe.mitre.org/data/definitions/922.html
---