Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

PHP static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your PHP code

Hard-coded secrets are security-sensitive

responsibility - trustworthy

security

Security Hotspot

Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

In the past, it has led to the following vulnerabilities:

Secrets should be stored outside of the source code in a configuration file or a management service for secrets.

This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.

Ask Yourself Whether

The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
The secret is used in a production environment.
Application re-distribution is required before updating the secret.

There would be a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Store the secret in a configuration file that is not pushed to the code repository.
Use your cloud provider’s service for managing secrets.
If a secret has been disclosed through the source code: revoke it and create a new one.

Sensitive Code Example

$secret = '47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37';
MyClass->callMyService($secret);

Compliant Solution

Using AWS Secrets Manager:

use Aws\SecretsManager\SecretsManagerClient;
use Aws\Exception\AwsException;
$client = new SecretsManagerClient(...);
$secretName = 'example';
doSomething($client, $secretName)
function doSomething($client, $secretName) {
    try {
        $result = $client->getSecretValue([
            'SecretId' => $secretName,
        ]);
    } catch (AwsException $e) {
    ...
    }
    if (isset($result['SecretString'])) {
        $secret = $result['SecretString'];
    } else {
        $secret = base64_decode($result['SecretBinary']);
    }
    // do something with the secret
    MyClass->callMyService($secret);
}

See

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

Available Since
24.12

Analyze code in your
on-premise CI

Developer Edition
Available Since
10.8

In-IDE

SaaS

Self-Hosted