Sensitive information is in the source code

Severity
Critical
Applies to
Step

Why This Issue Is Important

Embedding sensitive information, such as private keys, credentials, or other secrets, directly in policy source code significantly increases the risk of exposure. Attackers can easily extract this data through reverse engineering, code leaks, or compromised repositories. Once exposed, this sensitive information can be exploited to gain unauthorised access, leading to security breaches, data theft, and loss of trust.

How This Issue Is Detected

This issue is detected by analysing flow variables and configurations within your Apigee proxies. If sensitive data, such as private keys or other confidential information, is hardcoded or referenced in a way that exposes it in the source code, the system raises an alert. The detection process involves tracing variables that hold sensitive data and identifying whether they are securely stored or exposed directly in the code.

How to Fix the Issue

To fix this issue, remove hardcoded sensitive information from your Apigee proxy's source code. Instead, securely store these secrets in Apigee's Key Value Map (KVM) or a similar secure storage solution. Access the data dynamically during runtime to ensure it remains protected.