https://www.secdev.uk/blog/tags/hardcoded-credentials/ Recent content in Hardcoded Credentials on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 17 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-17-secrets-in-source-code/ Sat, 17 Jan 2026 00:00:00 +0000 https://www.secdev.uk/blog/technology/2026-01-17-secrets-in-source-code/ <p>Hardcoded credentials are one of the most common and most preventable vulnerability classes out there. API keys, database passwords, encryption keys, and service tokens embedded directly in source code end up in version control, build artifacts, container images, and log files. Once a secret reaches a Git repository, it persists in the history even after the offending line is deleted. When I started researching how often this happens in practice, the numbers were staggering, public reports of leaked credentials on GitHub alone run into the millions per year. In this post I&rsquo;ll cover the patterns that lead to hardcoded secrets, the tools that detect them, and the architecture changes that eliminate them for good.</p>