Merge pull request #8 from codacy/add-key-keyword-secret-detection

DMarinhoCodacy · web-flow · commit 09fe7b81e341 · 2026-03-17T11:44:32.000Z
Add key keyword secret detection
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Codacy Semgrep
+# Codacy Opengrep
 
 This is the docker engine we use at Codacy to have [Opengrep](https://github.com/opengrep/opengrep) support.
 
diff --git a/docs/codacy-rules.yaml b/docs/codacy-rules.yaml
@@ -25,7 +25,7 @@ rules:
           - pattern: String $PASSWORD = "$VALUE";
         - metavariable-regex:
             metavariable: "$PASSWORD"
-            regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*"
+            regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd|key).*"
     message: Hardcoded passwords are a security risk. They can be easily found by attackers and used to gain unauthorized access to the system.
     metadata:
       owasp:
@@ -45,7 +45,7 @@ rules:
           - pattern: var $PASSWORD = "$VALUE";
         - metavariable-regex:
             metavariable: "$PASSWORD"
-            regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*"
+            regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd|key).*"
     message: Hardcoded passwords are a security risk. They can be easily found by attackers and used to gain unauthorized access to the system.
     metadata:
       owasp:
@@ -74,7 +74,7 @@ rules:
           - pattern: var $PASSWORD = `$VALUE`
         - metavariable-regex:
             metavariable: "$PASSWORD"
-            regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*"
+            regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd|key).*"
     message: Hardcoded passwords are a security risk. They can be easily found by attackers and used to gain unauthorized access to the system.
     metadata:
       owasp:
@@ -105,7 +105,7 @@ rules:
           $PASSWORD VARCHAR2($LENGTH) := $...VALUE;
       - metavariable-regex:
           metavariable: "$PASSWORD"
-          regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd).*"
+          regex: "(?i).*(password|motdepasse|heslo|adgangskode|wachtwoord|salasana|passwort|passord|senha|geslo|clave|losenord|clave|parola|secret|pwd|key).*"
     options:
       generic_ellipsis_max_span: 0
     message: >
diff --git a/docs/multiple-tests/codacy-rules-java/results.xml b/docs/multiple-tests/codacy-rules-java/results.xml
@@ -2,6 +2,8 @@
 <checkstyle version="1.5">
     <file name="Program.java">
         <error source="codacy.java.security.hard-coded-password" line="8" message="Hardcoded passwords are a security risk." severity="error" />
-        <error source="codacy.java.security.flexible-search-sql-injection" line="9" message="Possible SQL Injection: Avoid concatenating user input in FlexibleSearchQuery." severity="error" />
+        <error source="codacy.java.security.hard-coded-password" line="9" message="Hardcoded passwords are a security risk." severity="error" />
+        <error source="codacy.java.security.hard-coded-password" line="10" message="Hardcoded passwords are a security risk." severity="error" />
+        <error source="codacy.java.security.flexible-search-sql-injection" line="11" message="Possible SQL Injection: Avoid concatenating user input in FlexibleSearchQuery." severity="error" />
     </file>
 </checkstyle>
diff --git a/docs/multiple-tests/codacy-rules-java/src/Program.java b/docs/multiple-tests/codacy-rules-java/src/Program.java
@@ -6,13 +6,17 @@ class Program
         public static void main(String[] args)
         {
             private static final String PASSWORD = "password" ; // Issue: Hardcoded password
+            private static final String API_KEY = "api_key" ; // Issue: Hardcoded API key
+            private static final String API_SECRET = "api_secret" ; // Issue: Hardcoded API secret
             final FlexibleSearchQuery query = new FlexibleSearchQuery("SELECT {a.pk} FROM {TEST AS a} WHERE {a.uid} ="+ uid +" AND {a.visibleInAddressBook} = true");
 
             final FlexibleSearchQuery okquery = new FlexibleSearchQuery(
                 "SELECT {a.pk} FROM {TEST AS a} WHERE {a.uid} = ?uid AND {a.visibleInAddressBook} = true"
             );
             okquery.addQueryParameter("uid", uid);
             System.out.println("This is a security risk: " + PASSWORD);
+            System.out.println("This is a security risk: " + API_KEY);
+            System.out.println("This is a security risk: " + API_SECRET);
         }
     }
 
diff --git a/docs/multiple-tests/codacy-rules-javascript/results.xml b/docs/multiple-tests/codacy-rules-javascript/results.xml
@@ -4,5 +4,7 @@
         <error source="codacy.javascript.security.hard-coded-password" line="3" message="Hardcoded passwords are a security risk." severity="error" />
         <error source="codacy.javascript.security.hard-coded-password" line="4" message="Hardcoded passwords are a security risk." severity="error" />
         <error source="codacy.javascript.security.hard-coded-password" line="5" message="Hardcoded passwords are a security risk." severity="error" />
+        <error source="codacy.javascript.security.hard-coded-password" line="6" message="Hardcoded passwords are a security risk." severity="error" />
+        <error source="codacy.javascript.security.hard-coded-password" line="7" message="Hardcoded passwords are a security risk." severity="error" />
     </file>
 </checkstyle>
diff --git a/docs/multiple-tests/codacy-rules-javascript/src/index.js b/docs/multiple-tests/codacy-rules-javascript/src/index.js
@@ -3,6 +3,8 @@ function main(args) {
     var PASSWORD = "password"; // Issue: Hardcoded password
     let salasana = 'YAY'
     const senha = `senha`;
+    const API_KEY = "api_key"; // Issue: Hardcoded API key
+    const API_SECRET = "api_secret"; // Issue: Hardcoded API secret
 
 
     const letPassword = password();
diff --git a/docs/multiple-tests/codacy-rules/results.xml b/docs/multiple-tests/codacy-rules/results.xml
@@ -2,15 +2,18 @@
 <checkstyle version="1.5">
     <file name="codacy-csharp-security-hard-coded-password.cs">
         <error source="codacy.csharp.security.hard-coded-password" line="9" message="Hardcoded passwords are a security risk." severity="error" />
-        <error source="codacy.csharp.security.null-dereference" line="23" message="Potential null dereference detected." severity="error" />
-        <error source="codacy.csharp.security.null-dereference" line="26" message="Potential null dereference detected." severity="error" />
-        <error source="codacy.csharp.security.null-dereference" line="26" message="Potential null dereference detected." severity="error" />
+        <error source="codacy.csharp.security.hard-coded-password" line="10" message="Hardcoded passwords are a security risk." severity="error" />
+        <error source="codacy.csharp.security.null-dereference" line="25" message="Potential null dereference detected." severity="error" />
+        <error source="codacy.csharp.security.null-dereference" line="28" message="Potential null dereference detected." severity="error" />
+        <error source="codacy.csharp.security.null-dereference" line="28" message="Potential null dereference detected." severity="error" />
     </file>
     <file name="test_find_all_passwords_and_empty_string.pls">
-        <error source="codacy.generic.plsql.empty-strings" line="29" message="Empty strings can lead to unexpected behavior and should be handled carefully." severity="warning" />
+        <error source="codacy.generic.plsql.empty-strings" line="33" message="Empty strings can lead to unexpected behavior and should be handled carefully." severity="warning" />
         <error source="codacy.generic.plsql.find-all-passwords" line="6" message="Hardcoded or exposed passwords are a security risk." severity="error" />
         <error source="codacy.generic.plsql.find-all-passwords" line="7" message="Hardcoded or exposed passwords are a security risk." severity="error" />
         <error source="codacy.generic.plsql.find-all-passwords" line="8" message="Hardcoded or exposed passwords are a security risk." severity="error" />
+        <error source="codacy.generic.plsql.find-all-passwords" line="9" message="Hardcoded or exposed passwords are a security risk." severity="error" />
+        <error source="codacy.generic.plsql.find-all-passwords" line="10" message="Hardcoded or exposed passwords are a security risk." severity="error" />
     </file>
     <file name="test_resource_injection.pls">
         <error source="codacy.generic.plsql.resource-injection" line="16" message="Resource injection detected." severity="error" />
diff --git a/docs/multiple-tests/codacy-rules/src/codacy-csharp-security-hard-coded-password.cs b/docs/multiple-tests/codacy-rules/src/codacy-csharp-security-hard-coded-password.cs
@@ -7,8 +7,10 @@ class Program
         static void Main(string[] args)
         {
             var password = "password"; // Issue: Hardcoded password
+            var api_key = "api_key"; // Issue: Hardcoded API key
 
             Console.WriteLine("This is a security risk: " + password);
+            Console.WriteLine("This is a security risk: " + api_key);
         }
 
         public static bool? IsRegular(bool freqNoneOrNotPeriodic, bool freqPeriodical, IFrequency frequency)
diff --git a/docs/multiple-tests/codacy-rules/src/test_find_all_passwords_and_empty_string.pls b/docs/multiple-tests/codacy-rules/src/test_find_all_passwords_and_empty_string.pls
@@ -6,6 +6,8 @@ CREATE OR REPLACE PACKAGE find_passwords AS
   password1 VARCHAR2(100) := 'Password123!';
   password2 VARCHAR2(100) := 'Admin@456';
   password3 VARCHAR2(100) := 'UserPass789';
+  API_KEY VARCHAR2(100) := 'newAPI_KEY43432';
+  API_SECRET VARCHAR2(100) := 'newAPI_SECRET43432';
 
   -- Procedure to output passwords
   PROCEDURE output_passwords;
@@ -19,6 +21,8 @@ BEGIN
     DBMS_OUTPUT.PUT_LINE('Password1: ' || password1);
     DBMS_OUTPUT.PUT_LINE('Password2: ' || password2);
     DBMS_OUTPUT.PUT_LINE('Password3: ' || password3);
+    DBMS_OUTPUT.PUT_LINE('Password4: ' || API_KEY);
+    DBMS_OUTPUT.PUT_LINE('Password5: ' || API_KEY);
 END output_passwords;
 END find_passwords;
 /

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# Codacy Semgrep`
	`1`	`+# Codacy Opengrep`
`2`	`2`
`3`	`3`	`This is the docker engine we use at Codacy to have [Opengrep](https://github.com/opengrep/opengrep) support.`
`4`	`4`
Original file line number	Diff line number	Diff line change
`@@ -6,13 +6,17 @@ class Program`
`6`	`6`	`public static void main(String[] args)`
`7`	`7`	`{`
`8`	`8`	`private static final String PASSWORD = "password" ; // Issue: Hardcoded password`
	`9`	`+ private static final String API_KEY = "api_key" ; // Issue: Hardcoded API key`
	`10`	`+ private static final String API_SECRET = "api_secret" ; // Issue: Hardcoded API secret`
`9`	`11`	`final FlexibleSearchQuery query = new FlexibleSearchQuery("SELECT {a.pk} FROM {TEST AS a} WHERE {a.uid} ="+ uid +" AND {a.visibleInAddressBook} = true");`
`10`	`12`
`11`	`13`	`final FlexibleSearchQuery okquery = new FlexibleSearchQuery(`
`12`	`14`	`"SELECT {a.pk} FROM {TEST AS a} WHERE {a.uid} = ?uid AND {a.visibleInAddressBook} = true"`
`13`	`15`	`);`
`14`	`16`	`okquery.addQueryParameter("uid", uid);`
`15`	`17`	`System.out.println("This is a security risk: " + PASSWORD);`
	`18`	`+ System.out.println("This is a security risk: " + API_KEY);`
	`19`	`+ System.out.println("This is a security risk: " + API_SECRET);`
`16`	`20`	`}`
`17`	`21`	`}`
`18`	`22`
Original file line number	Diff line number	Diff line change
`@@ -7,8 +7,10 @@ class Program`
`7`	`7`	`static void Main(string[] args)`
`8`	`8`	`{`
`9`	`9`	`var password = "password"; // Issue: Hardcoded password`
	`10`	`+ var api_key = "api_key"; // Issue: Hardcoded API key`
`10`	`11`
`11`	`12`	`Console.WriteLine("This is a security risk: " + password);`
	`13`	`+ Console.WriteLine("This is a security risk: " + api_key);`
`12`	`14`	`}`
`13`	`15`
`14`	`16`	`public static bool? IsRegular(bool freqNoneOrNotPeriodic, bool freqPeriodical, IFrequency frequency)`