Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
Anti-Patterns
Secrets
Database passwords should not be disclosed
public static string ConnectionString = "server=database-server;uid=user;pwd=P@ssw0rd;database=ProductionData";
Google Cloud service accounts keys should not be disclosed
{
"type": "service_account",
"project_id": "example-project",
"private_key_id": "2772b8e6f42dc67369b98f0b91694f7805b28844",
"private_key": "-----BEGIN PRIVATE KEY-----\nKBww9jggAgBEHBCBAASIMDsoCBAuAQINAgFAGSXQTkiAE0cEIkoQghJAqGavB/r3\n2W6raHa1Qrfj6pii5U2Ok53SxCyK3TxYc3Bfxq8orZeYC9LQ/I3tz7w4/BnT71AD\nfP1i8SWHsRMIicSuVFcRoYMA+A1eNSmdrujdBNWgedfuSyHbPnNY7s8BBUIoBN7I\n8gJG5DUUKAZfZDB2c/n7Yu0=\n-----END PRIVATE KEY-----\n",
"client_email": "example@example.iam.gserviceaccount.example.com",
"client_id": "492539091821492546176",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/example%40example.iam.gserviceaccount.example.com",
"universe_domain": "googleapis.com"
}
PostgreSQL database passwords should not be disclosed
uri = "postgres://foouser:foopass@example.com/testdb"
Shippo tokens should not be disclosed
Shippo.setApiKey('shippo_live_258d9b4c41a8cb88ca7fb4b12c65083f658435ac'); // Noncompliant
HashMap<String, Object> addressMap = new HashMap<String, Object>();
addressMap.put("name", "Mr. Hippo");
addressMap.put("company", "Shippo");
addressMap.put("street1", "215 Clayton St.");
addressMap.put("city", "San Francisco");
addressMap.put("state", "CA");
addressMap.put("zip", "94117");
addressMap.put("country", "US");
addressMap.put("phone", "+1 555 341 9393");
addressMap.put("email", "support@goshipppo.com");
Address createAddress = Address.create(addressMap);
OpenWeather API keys should not be disclosed
url = "http://api.openweathermap.org/data/2.5/weather?units=imperial&appid=ae73acab47d0fc4b71b634d943b00518&q="
Grafana tokens should not be disclosed
import requests
token = 'glsa_geygSnIfuK5vBG0KgaflRCQfIb8mzaM7_b0999d91' # Noncompliant
response = requests.get('https://grafana.example.org/api/dashboards/home', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
Django secret keys should not be disclosed
SECRET_KEY = 'r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^'
SSH private keys should not be disclosed
String key = """
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACDktj2RM1D2wRTQ0H+YZsFqnAuZrqBNEB4PpJ5xm73nWwAAAJgJVPFECVTx
RAAAAAtzc2gtZWQyNTUxOQAAACDktj2RM1D2wRTQ0H+YZsFqnAuZrqBNEB4PpJ5xm73nWw
AAAECQ8Nzp6a1ZJgS3SWh2pMxe90W9tZVDZ+MZT35GjCJK2uS2PZEzUPbBFNDQf5hmwWqc
C5muoE0QHg+knnGbvedbAAAAFGdhZXRhbmZlcnJ5QFBDLUwwMDc3AQ==
-----END OPENSSH PRIVATE KEY-----""";
PyPI tokens should not be disclosed
[pypi]
username = __token__
password = pypi-YBf3ZAIKOMPwNZ1VaQ0RAtjww5lI1az1CMLEOWgDQN56EPADfzRmgsENVcmIUh2mSBwYlTtyNKGmVlLm2MZD2aJOTWmD2EO5PMyWjvUY3Ii2CjsidALCNCNmvX8N8gcijBliFN2ciBCLgQdi2YYfGjA1kz19z1UBKg
Hashicorp tokens should not be disclosed
import hvac
client = hvac.Client(url='https://vault.example.com', token='hvb.AAAAAQJyBEVF-vTWUrg0hcoIPuvKjjNxXXZ5MfsYVg2gJ0fGZpVi0IGTFfh4TqsoQIWaocNRXD1qzGXvhIHWJBM_rWU9YJY8sXOYVy_s1JAHasXJwGmZ_fBLJfSG6aCwQkCGwtAhYw') # Noncompliant
secret = client.secrets.kv.v2.read_secret_version(path='secret/myapp')
data = secret['data']
username = data.get('username')
password = data.get('password')
DigitalOcean tokens should not be disclosed
require 'droplet_kit'
token = 'dop_v1_1adc4095c3c676ff1c31789a1a86480195a5b3d955010c94fcfa554b34640e1e' # Noncompliant
client = DropletKit::Client.new(access_token: token)
MongoDB database passwords should not be disclosed
uri = "mongodb://foouser:foopass@example.com/testdb"
WakaTime tokens should not be disclosed
from rauth import OAuth2Service
service = OAuth2Service(
client_id='d130uKF73fueZSCM9tUodIFN',
client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant
name='wakatime',
authorize_url='https://wakatime.com/oauth/authorize',
access_token_url='https://wakatime.com/oauth/token',
base_url='https://wakatime.com/api/v1/')
Azure Storage Account Keys should not be disclosed
using Azure.Storage.Blobs;
using Azure.Storage;
class Example
{
static void Main(string[] args)
{
string account = "accountname";
string accountKey = "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg=="; // Noncompliant
StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey);
BlobServiceClient blobServiceClient = new BlobServiceClient(
new Uri($"https://{account}.blob.core.windows.net"),
sharedKeyCredential);
}
}
Cryptographic private keys should not be disclosed
private_key = "-----BEGIN EC PRIVATE KEY-----" \
"MF8CAQEEGEfVxjrMPigNhGP6DqH6DPeUZPbaoaCCXaAKBggqhkjOPQMBAaE0AzIA" \
"BCIxho34upZyXDi/AUy/TBisGeh4yKJN7pit9Z+nKs4QajVy97X8W9JdySlbWeRt" \
"2w==" \
"-----END EC PRIVATE KEY-----"
Figma tokens should not be disclosed
import requests
token = 'figd_OLDXZWOP4fxW4c9ER0xzxRda96M-f0eFwZpFQjHJ' # Noncompliant
response = requests.get('https://api.figma.com/v1/me', headers={
'X-FIGMA-TOKEN': token,
'Content-Type': 'application/json'
})
Yandex tokens should not be disclosed
import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk';
const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi;
const session = new Session({ iamToken: 't1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg' }); // Noncompliant
const cloudService = session.client(serviceClients.CloudServiceClient);
const response = await cloudService.list(ListCloudsRequest.fromPartial({
pageSize: 100,
}));
Clarifai API keys should not be disclosed
from clarifai_grpc.grpc.api.status import status_code_pb2
metadata = (('authorization','Key d819f799b90bc8dbaffd83661782dbb7'),)
Postman tokens should not be disclosed
const axios = require('axios');
const apiKey = 'PMAK-6502e63761882f002a69f0cb-6d9bc58cd0cc60ff5547f81cf2ca141bb9'; // Noncompliant
const options = {
method: 'get',
url: 'https://api.getpostman.com/me',
headers: {
'Content-Type': 'application/json',
'X-API-Key': apiKey
}
};
(async() => { await axios(options); })();
MySQL database passwords should not be disclosed
uri = "mysql://foouser:foopass@example.com/testdb"
Shopify tokens should not be disclosed
import requests
token = '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' # Noncompliant
response = requests.get('https://test-shop.myshopify.com/admin/api/2021-07/shop.json', headers={
'X-Shopify-Access-Token': token,
'Content-Type': 'application/json'
})
Typeform tokens should not be disclosed
import requests
token = 'tfp_DEueEgDipkmx52r7rgU5EC7VC5K2MzzsR61ELEkqmh3Y_3mJqwKJ2vtfX5N' # Noncompliant
response = requests.get('https://api.typeform.com/forms', headers={
'Authorization': f'Bearer {token}',
'Content-Type': 'application/json'
})
NPM access tokens should not be disclosed
steps:
- run: |
npm install
- env:
NPM_TOKEN: npm_tCEMceczuiTXKQaBjGIaAezYQ63PqI972ANG
Docker Hub tokens should not be disclosed
steps:
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: mobythewhale
password: dckr_pat_cq7wQZcv9xZkVlxMhDTcTV00CDo