C#-CWE-798

The product contains hard-coded credentials, such as passwords, API keys, or tokens, which may allow an attacker to gain unauthorized access if the source code is exposed

Required inputs: CSharpAST

This rule detects hard-coded credentials in C# source code. Hard-coded credentials include passwords, API keys, tokens, or other secrets embedded directly as string literals. Examples of vulnerable code:

// Vulnerable: hard-coded password
const string dbPassword = "SuperSecret123";
var client = new HttpClient();
client.DefaultRequestHeaders.Add("Api-Key", "1234567890abcdef");

Safe alternatives:

// Safe: retrieve password from environment variable
string dbPassword = Environment.GetEnvironmentVariable("DB_PASSWORD");

// Safe: retrieve API key from secret manager or configuration
string apiKey = Configuration["ApiKey"];

Possible Messages

Key	Text	Severity	Disabled
hardcoded_credential	Hard-coded credential detected.	None	False

Options

• This rule shares the following common options: excludes, includes, justification_checker, post_processing, provider, severity

• The following places define options that affect this rule: Stylechecks, Analysis-GlobalOptions

• This rule has no individual options.