v1.0
L1 EssentialAutomated verification
5.1 No Hardcoded Credentials
5. Credential Protection — How do we protect secrets?
Description
Credentials MUST NOT be hardcoded in source code, configuration files, or prompts.
Rationale
Hardcoded credentials are the leading cause of AI agent compromises. They leak through version control, logs, and LLM context windows.
Audit Procedure
1. Search codebase for secret patterns 2. Check .env files are in .gitignore 3. Review git history for committed secrets 4. Run: hackmyagent secure --check CRED-001
Remediation
1. Remove all hardcoded credentials 2. Rotate any exposed credentials 3. Use environment variables or secrets manager 4. Install pre-commit hooks
Framework Mappings
CIS Control 3.10CIS Control 3.11NIST PR.AC-1NIST PR.DS-1OWASP LLM06:2023