By name: cwe-798-hardcoded-credentials description: Use this skill when you need to remediate CWE-798 (Hardcoded Credentials) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing hardcoded credentials issues. version: 1.0.0 license: MIT tags:
- security
- java
- cwe-798
- remediation
- sast
CWE-798 Hardcoded Credentials
Description
Hardcoded Credentials
Reference: https://cwe.mitre.org/data/definitions/798.html
OWASP Category: A07:2021 – Identification and Authentication Failures
Vulnerable Pattern
❌ Example 1: Vulnerable Pattern
// VULNERABLE: Hardcoded API keys and credentials
private static final String API_KEY = "sk-1234567890abcdef";
private static final String AWS_SECRET = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY";
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(
new BasicAWSCredentials("AKIAIOSFODNN7EXAMPLE", AWS_SECRET)))
.build();
Why it's vulnerable: This pattern is vulnerable to Hardcoded Credentials
Deterministic Fix
✅ Secure Implementation: Secure Implementation
// SECURE: Use environment variables
String apiKey = System.getenv("API_KEY");
if (apiKey == null || apiKey.isEmpty()) {
throw new IllegalStateException("API_KEY environment variable not set");
}
// SECURE: Use AWS credential provider chain (auto-discovers credentials)
AmazonS3 s3 = AmazonS3ClientBuilder.standard()
.withCredentials(new DefaultAWSCredentialsProviderChain())
.build();
// SECURE: Use Spring's @Value with externalized config
@Value("${api.key}")
private String apiKey;
// SECURE: Use HashiCorp Vault or AWS Secrets Manager
@Autowired
private VaultTemplate vault;
public String getApiKey() {
VaultResponse response = vault.read("secret/data/myapp");
return (String) response.getData().get("apiKey");
}
// SECURE: AWS Secrets Manager
public String getSecretFromAWS(String secretName) {
GetSecretValueRequest request = new GetSecretValueRequest()
.withSecretId(secretName);
GetSecretValueResult result = secretsManager.getSecretValue(request);
return result.getSecretString();
}
Why it's secure: Implements proper protection against Hardcoded Credentials
Detection Pattern
Look for these patterns in your codebase:
# Find hardcoded secrets
grep -rn "API_KEY\\|SECRET\\|PASSWORD\\|AKIA" --include="*.java" | grep -E "=.*\\\""
# Find AWS credentials
grep -rn "BasicAWSCredentials\\|AWSStaticCredentials" --include="*.java"
Remediation Steps
Remove all hardcoded credentials from source code
Use environment variables for local development
Use cloud secret managers (AWS SM, GCP SM, Azure KV)
Use HashiCorp Vault for on-premise deployments
Rotate any credentials that were in source code
Key Imports
import com.amazonaws.auth.DefaultAWSCredentialsProviderChain;
import org.springframework.vault.core.VaultTemplate;
Verification
After remediation:
Run SAST scanner to confirm vulnerability is resolved
Review all instances of the vulnerable pattern
Add unit tests that verify the secure implementation
Check for similar patterns in related code
Trigger Examples
Fix CWE-798 vulnerability
Resolve Hardcoded Credentials issue
Secure this Java code against hardcoded credentials
SAST reports CWE-798
Common Vulnerable Locations
| Layer | Files | Patterns |
|---|
| Controller | *Controller.java | User input handling |
| Service | *Service.java | Business logic |
| Repository | *Repository.java | Data access |
References
Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07