Hardcoded Credentials Security Issue T152

# Hardcoded Credentials Security Issue 

## Issue Overview
**Risk Level:** Critical (CVSS 9.8)  
**Problem:** Database passwords, AWS credentials, and API keys hardcoded in source code

## Affected Components
- `docker-compose.yml` - MySQL root passwords
- `config.py` files - Database connection strings  
- Service configuration files - API keys and tokens

## Keploy Testing Strategy

### Test Configuration
```yaml
# keploy-secrets-test.yml
version: api.keploy.io/v1beta1
kind: config
metadata:
  name: secrets-detection-test
spec:
  app:
    name: "ecommerce-secrets-audit"
  test:
    path: "./keploy/secrets-tests"
    secrets_scan: true
```

### Record and Test
```bash
# Record service startup and config loading
keploy record -c "docker-compose up" --secrets-mode

# Test endpoints that might expose config
curl http://localhost:8080/health
curl http://localhost:8081/config
curl http://localhost:8082/debug
```

### Secure Response Test
```yaml
# keploy/tests/secure-config-test.yaml
version: api.keploy.io/v1beta1
kind: Http
metadata:
  name: secure-config-test
spec:
  req:
    method: GET
    url: http://localhost:8080/health
  assertions:
    - type: response_body
      not_contains: "password"
      message: "Health endpoint should not expose credentials"
    - type: response_body
      not_contains: "AKIA"
      message: "AWS credentials should not be exposed"
```

## Vulnerability Examples

### Vulnerable Code
```python
# config.py - VULNERABLE
DATABASE_URL = "mysql://root:hardcoded_password@localhost:3306/orders"
AWS_ACCESS_KEY = "AKIAIOSFODNN7EXAMPLE"
AWS_SECRET_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
```

### Secure Implementation
```python
# config.py - SECURE
import os
DATABASE_URL = os.getenv('DATABASE_URL')
AWS_ACCESS_KEY = os.getenv('AWS_ACCESS_KEY')
AWS_SECRET_KEY = os.getenv('AWS_SECRET_KEY')
```

## Test Scenarios

### Configuration Exposure Test
```bash
keploy record -c "python app.py"
curl http://localhost:8080/api/v1/config
curl http://localhost:8080/.env
```

### Error Message Exposure
```bash
# Force database connection errors
docker-compose stop mysql_orders
curl http://localhost:8080/api/v1/orders
```

## Automated Scanning

### CI/CD Integration
```yaml
# .github/workflows/secrets-scan.yml
name: Secrets Detection
on: [push, pull_request]

jobs:
  secrets-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Install Keploy
        run: |
          curl -L https://github.com/keploy/keploy/releases/latest/download/keploy_linux_amd64.tar.gz | tar xz
          sudo mv keploy /usr/local/bin
      - name: Run Secrets Test
        run: keploy test --secrets-scan
```

## Remediation

### Environment Variables
```bash
# .env file (not committed)
DB_PASSWORD=secure_password
AWS_ACCESS_KEY=your_aws_key
AWS_SECRET_KEY=your_aws_secret
```

### Secure Docker Compose
```yaml
# docker-compose.yml
version: '3.8'
services:
  mysql_orders:
    image: mysql:8.0
    environment:
      MYSQL_ROOT_PASSWORD: ${DB_PASSWORD}
    env_file:
      - .env
```

### Application Config
```python
# secure_config.py
import os
from dotenv import load_dotenv

load_dotenv()

class Config:
    DB_PASSWORD = os.getenv('DB_PASSWORD')
    AWS_ACCESS_KEY = os.getenv('AWS_ACCESS_KEY')
    AWS_SECRET_KEY = os.getenv('AWS_SECRET_KEY')
```

## Validation

### Test Secure Setup
```bash
export DB_PASSWORD="secure_password"
export AWS_ACCESS_KEY="AKIA_SECURE_KEY"
keploy test -c "python app.py" --env-validation
```

### Expected Results
```yaml
test_results:
  - name: "no-secrets-in-response"
    status: "PASSED"
    message: "No hardcoded secrets found"
```

## Monitoring

```yaml
# keploy-monitoring.yml
monitoring:
  secrets_detection:
    enabled: true
    patterns: ["password", "secret", "key", "AKIA[0-9A-Z]{16}"]
    alerts:
      webhook: "https://hooks.slack.com/webhook"
      message: "🚨 Hardcoded secrets detected!"
```

## Best Practices

1. Never commit secrets to version control
2. Use environment variables for sensitive data
3. Implement secrets rotation policies
4. Use AWS Secrets Manager
5. Regular automated scanning with Keploy

---

**⚠️ Critical:** Immediate remediation required. Exposed credentials can lead to complete system compromise.

*E-commerce Microservices Security Documentation*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Hardcoded Credentials Security Issue T152 #7

Hardcoded Credentials Security Issue

Issue Overview

Affected Components

Keploy Testing Strategy

Test Configuration

Record and Test

Secure Response Test

Vulnerability Examples

Vulnerable Code

Secure Implementation

Test Scenarios

Configuration Exposure Test

Error Message Exposure

Automated Scanning

CI/CD Integration

Remediation

Environment Variables

Secure Docker Compose

Application Config

Validation

Test Secure Setup

Expected Results

Monitoring

Best Practices

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Hardcoded Credentials Security Issue T152 #7

Description

Hardcoded Credentials Security Issue

Issue Overview

Affected Components

Keploy Testing Strategy

Test Configuration

Record and Test

Secure Response Test

Vulnerability Examples

Vulnerable Code

Secure Implementation

Test Scenarios

Configuration Exposure Test

Error Message Exposure

Automated Scanning

CI/CD Integration

Remediation

Environment Variables

Secure Docker Compose

Application Config

Validation

Test Secure Setup

Expected Results

Monitoring

Best Practices

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions