Detection of hardcoded credentials in .NET project web.config or app.config file

Hello,

I’m wondering if there was ever any motion on this? Specifically the example I am dealing with is a traditional .NET project with a web.config or app.config file containing hardcoded credentials in database connection strings.

Example app.config with entity framework and regular connection strings:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <connectionStrings>
    <add name="SomeDatabaseEntities" connectionString="metadata=res://*/DAL.SomeDatabaseModel.csdl|res://*/DAL.SomeDatabaseModel.ssdl|res://*/DAL.SomeDatabaseModel.msl;provider=System.Data.SqlClient;provider connection string=&quot;data source=hostname.example;initial catalog=SomeDatabase;persist security info=True;user id=someuser;password=somepassword;multipleactiveresultsets=True;App=EntityFramework&quot;" providerName="System.Data.EntityClient" />
    <add name="SomeOherConnectionString" connectionString="data source=hostname.example;initial catalog=SomeDatabase;persist security info=True;user id=someuser;password=somepassword;" providerName="System.Data.SqlClient" />
  </connectionStrings> 
</configuration>

Hello @robatilho,

Yes, we plan to improve the existing rule we have for password detection to support hardcoded credential in connection strings. Here is the ticket to support connection strings from appsettings.json and web.config files.

Pierre-Loup