Q
Detector Library
Kotlin detectors (23/23)
Insecure cookieCookie Without Http Only FlagImproper AuthenticationCryptographic key generatorWeak pseudorandom number generationPath traversalCross-site scriptingReusing Nonce and key in encryptionCode InjectionServer-side request forgeryCross-site request forgeryLog injectionHardcoded credentialsEnabling and overriding debug featureNull Pointer DereferenceInsecure hashingMissing encryption of sensitive dataImproper verification of IntentInsecure connection using unencrypted protocolOS Command InjectionInsecure Bean ValidationSQL injectionIncorrect Type Conversion
Hardcoded credentials Critical
Hardcoded credentials can be intercepted by malicious actors. Even after removing them from the code they may still pose a risk because an attacker might have recorded them to use them at a later point in time.
Detector ID
kotlin/hardcoded-credentials@v1.0
Category
Common Weakness Enumeration (CWE) 
Noncompliant example
1// Noncompliant: Password is hardcoded
2fun noncompliant() {
3 val username = "admin"
4 val password = "password123"
5 val ssh = SSHClient()
6 ssh.authPassword(username, password)
7}
Compliant example
1// Compliant: Password is retrieved from environment variables.
2fun compliant() {
3 val username = System.getenv("SSH_USERNAME")
4 val password = System.getenv("SSH_PASSWORD")
5 val ssh = SSHClient()
6 ssh.authPassword(username, password)
7}