# Usage of hard-coded database password

## Overview

* **Rule ID**: `java_lang_hardcoded_database_password`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-259

## Description

Hard-coding database passwords presents a substantial security threat. Including passwords directly in your code increases the risk of unauthorized database access if the codebase is compromised.

## Remediation Guidelines

* **Avoid** embedding database passwords directly in your code, as this practice is insecure and exposes your database to potential unauthorized access. For example, using code like:

  ```java
  Connection conn = DriverManager.getConnection(url, "admin", "secret");

  ```
* **Instead, use environment variables** to store sensitive information such as database passwords. This method keeps credentials out of your codebase, making them easier to manage securely.
* **Do** consider implementing a key-management system to securely handle passwords and other sensitive information, providing enhanced security measures for managing and accessing credentials.

## References

* [**OWASP hardcoded passwords**](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
* [**CWE-259: Use of Hard-coded Password**](https://cwe.mitre.org/data/definitions/259.html)
* [**OWASP Top 10: A07:2021 - Identification and Authentication Failures**](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)