ConfigClarityGlossary › Hardcoded Secrets

Hardcoded Secrets

Hardcoded secrets are credentials, API keys, database passwords, or private keys embedded directly in source code, configuration files, or container definitions instead of being injected at runtime from a secure secrets store.
SecurityDockerSecrets ManagementCredentialsDevOps

Hardcoded secrets are one of the most common causes of security breaches in self-hosted and cloud-hosted applications. When credentials appear in docker-compose.yml, .env files committed to version control, or application config files, they are often accidentally exposed through public repositories, log files, or build artifacts.

The Docker Compose pattern is particularly dangerous because environment: blocks with literal values are frequently committed to public GitHub repositories. GitHub's secret scanning catches some patterns, but custom API keys and database passwords are not always detected.

What Counts as a Hardcoded Secret

Direct credential values in environment: blocks (DB_PASSWORD=mypassword). API keys embedded in config files. Private keys committed to repositories. Connection strings with embedded credentials (postgresql://user:password@host/db). Any credential that doesn't use an environment variable reference or secrets manager.

The Safe Pattern: Variable References

Use ${{DB_PASSWORD}} in docker-compose.yml and define the actual value only in .env files that are listed in .gitignore. For production, use Docker Secrets, HashiCorp Vault, AWS Secrets Manager, or equivalent.

Related Tools

Docker Auditor →

Fix Guides

Docker hardcoded secrets fix

Frequently Asked Questions

How do I find hardcoded secrets in my Docker Compose files?
Paste your docker-compose.yml and .env files into ConfigClarity's Docker Auditor. It scans all environment blocks for literal credential values and flags any that should be environment variable references.
Is a .env file safe for secrets?
A .env file is safe if and only if it is listed in .gitignore and never committed to version control. For production, .env files are a transitional solution — proper secrets management uses Docker Secrets, Vault, or a cloud-native secrets store.
What do I do if I accidentally committed a secret to GitHub?
Treat the secret as compromised immediately — rotate it before doing anything else. Then remove it from history using git-filter-repo or BFG Repo Cleaner. GitHub's advisory on removing sensitive data covers the exact steps. Removing from history does not protect forks or cached views.