include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

include::../common/impact/rationale.adoc[]

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

include::../../../shared_content/secrets/impact/security_downgrade.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/recent_use.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

include::../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,php,diff-id=1,diff-type=noncompliant]
----
use Defuse\Crypto\KeyOrPassword;

function createKey() {
    $password = "3xAmpl3";  // Noncompliant
    return KeyOrPassword::createFromPassword($password);
}
----

==== Compliant solution

[source,php,diff-id=1,diff-type=compliant]
----
use Defuse\Crypto\KeyOrPassword;

function createKey() {
    $password = $_ENV["SECRET"]
    return KeyOrPassword::createFromPassword($password);
}
----

include::../common/fix/how-it-works.adoc[]

== Resources

include::../common/resources/documentation.adoc[]

* Symfony - https://symfony.com/doc/current/configuration/secrets.html[How to
Keep Sensitive Information Secret]

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Revoke and change this password, as it is compromised.

=== Highlighting

Highlight the credential use and its initialization.

'''
endif::env-github,rspecator-view[]