include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

include::../common/impact/rationale.adoc[]

include::../../../shared_content/secrets/impact/financial_loss.adoc[]

include::../../../shared_content/secrets/impact/security_downgrade.adoc[]

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

include::../../../shared_content/secrets/fix/recent_use.adoc[]

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

include::../common/fix/code-rationale.adoc[]

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
import org.h2.security.SHA256;

String inputString = "s3cr37";
byte[] key         = inputString.getBytes();

SHA256.getHMAC(key, message);  // Noncompliant
----

==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
import org.h2.security.SHA256;

String inputString = System.getenv("SECRET");
byte[] key         = inputString.getBytes();

SHA256.getHMAC(key, message);  // Noncompliant
----

include::../common/fix/how-it-works.adoc[]

== Resources

include::../common/resources/documentation.adoc[]

include::../common/resources/standards.adoc[]

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Revoke and change this password, as it is compromised.

=== Highlighting

Highlight the credential use and its initialization.

'''
endif::env-github,rspecator-view[]