# Usage of hard-coded secret

## Overview

* **Rule ID**: `java_lang_hardcoded_secret`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-798

## Description

Applications should securely store secret values rather than including them as literal values in the source code.

## Remediation Guidelines

* **Fetch** secrets from a secure location during runtime.

## References

* [**OWASP hardcoded passwords**](https://owasp.org/www-community/vulnerabilities/Use_of_hard-coded_password)
* [**OWASP secrets management cheat sheet**](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html#21-high-availability)
* [**CWE-798: Use of Hard-coded Credentials**](https://cwe.mitre.org/data/definitions/798.html)
* [**OWASP Top 10: A07:2021 - Identification and Authentication Failures**](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)