Skip to content

SKILL.md

Latest commit

 

History

History
199 lines (115 loc) · 3.91 KB

SKILL.md

File metadata and controls

199 lines (115 loc) · 3.91 KB
name cwe-798-hardcoded-credentials
description Use this skill when you need to remediate CWE-798 (Hardcoded Credentials) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing hardcoded credentials issues.
version 1.0.0
license MIT
tags
security
java
cwe-798
remediation
sast

CWE-798 Hardcoded Credentials

Description

Hardcoded Credentials

Reference: https://cwe.mitre.org/data/definitions/798.html

OWASP Category: A07:2021 – Identification and Authentication Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Hardcoded API keys and credentials
private static final String API_KEY = "sk-1234567890abcdef";
private static final String AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";

AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withCredentials(new AWSStaticCredentialsProvider(
        new BasicAWSCredentials("AKIAIOSFODNN7EXAMPLE", AWS_SECRET)))
    .build();

Why it's vulnerable: This pattern is vulnerable to Hardcoded Credentials

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Use environment variables
String apiKey = System.getenv("API_KEY");
if (apiKey == null || apiKey.isEmpty()) {
    throw new IllegalStateException("API_KEY environment variable not set");
}

// SECURE: Use AWS credential provider chain (auto-discovers credentials)
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
    .withCredentials(new DefaultAWSCredentialsProviderChain())
    .build();

// SECURE: Use Spring's @Value with externalized config
@Value("${api.key}")
private String apiKey;

// SECURE: Use HashiCorp Vault or AWS Secrets Manager
@Autowired
private VaultTemplate vault;

public String getApiKey() {
    VaultResponse response = vault.read("secret/data/myapp");
    return (String) response.getData().get("apiKey");
}

// SECURE: AWS Secrets Manager
public String getSecretFromAWS(String secretName) {
    GetSecretValueRequest request = new GetSecretValueRequest()
        .withSecretId(secretName);
    GetSecretValueResult result = secretsManager.getSecretValue(request);
    return result.getSecretString();
}

Why it's secure: Implements proper protection against Hardcoded Credentials

Detection Pattern

Look for these patterns in your codebase:

# Find hardcoded secrets
grep -rn "API_KEY\\|SECRET\\|PASSWORD\\|AKIA" --include="*.java" | grep -E "=.*\\\""
# Find AWS credentials
grep -rn "BasicAWSCredentials\\|AWSStaticCredentials" --include="*.java"

Remediation Steps

  1. Remove all hardcoded credentials from source code

  2. Use environment variables for local development

  3. Use cloud secret managers (AWS SM, GCP SM, Azure KV)

  4. Use HashiCorp Vault for on-premise deployments

  5. Rotate any credentials that were in source code

Key Imports

import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;

import org.springframework.vault.core.VaultTemplate;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-798 vulnerability
Resolve Hardcoded Credentials issue
Secure this Java code against hardcoded credentials
SAST reports CWE-798

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07