py/HardcodedCredentials misses common credential patterns and flags usernames.

[9iang22]

Some patterns are missing, for example:

api_key = "sk-1234567890" # Missed: API key
db_url = "postgres://user:pass@host/db" # Missed: URL credentials

Second, I am not sure if the username is seen as a credential in a usual project, but this rule will flag the username.
This is beyond the definition in CWE-798 (
The product contains hard-coded credentials, such as a password or cryptographic key.)

USERNAME = "admin" # Flagged

I also found that the rule will lose the taint in the following case:

USERNAME = "road_runner"
PASSWORD = "insecure_pwd"
options = {"password": PASSWORD}

conn = client.connect(username=USERNAME, password=PASSWORD) # Flagged
log.debug("Options: %s", options) # Missing
conn = client.connect(options=options) # Still Missing

[jketema]

Hi @9iang22,

Thanks for your report. Have you seen real-world projects where these patterns occur. If so, could you point us to some?

[9iang22]

Hi @jketema,

Thanks for the quick response. Yes, I have identified real-world instances of these patterns. You can also verify these using GitHub Code Search or Sourcegraph:

1. Missing API Key Patterns

• Search Query: "api_key= 'sk-" lang:python
• Results: ~6.6K results, indicating a significant risk of API key leakage.
• Example: https://github.com/AI4Chem/ChemistryAgent/blob/8d8ab2d4a5bc0dbc184b563cc273963a301004d1/agent/model/api_key.py#L4

2. Missing Database URL Credentials

• Search Query: "postgres://" lang:python
• Results: ~4.4K results. While not all are hardcoded, many contain embedded credentials.
• Example: https://github.com/rayattack/opyration/blob/33ff26e1942a00c0e136e399fb96576ccf2ae4ed/.py#L7

3. False Positives on Usernames
I think usernames are typically not considered to be secrets. Flagging them (e.g., USERNAME = "admin") may generate lots of noise.

4. Taint Tracking via Dictionaries
The current rule seems to lose taint when credentials are passed through a structure (e.g., options = {"password": PASSWORD}). This is a very common pattern in Python clients and should ideally remain within the detection scope.

• Search Query: "'password': password}" lang: python
• Example: https://github.com/davidjohnstone/alt/blob/b782778d387a8db4e65c95359de0d0c37b52a970/run.py#L43

I hope this evidence helps clarify the issues.

[jketema]

Thanks and thanks again for your report. We'll keep this issue open, but fixing this will not be prioritized: the query was removed from all are query suites in #19507. This was done on purpose, because we expect customers to use GitHub's secret scanning solution to detect these kinds of issues and not Code Scanning.

[9iang22]

Thank you for your explanation and for taking the time to explain the background of #19507. I will adjust the priority of my report accordingly if I have any other findings later.