## 🔒 RSOLV Security Scanner Exposes Hardcoded API Keys in Nodegoat Demo Repository
A security vulnerability report generated by the RSOLV scanner has identified HIGH severity hardcoded secrets within the RSOLV-dev/nodegoat-vulnerability-demo repository. The scan, conducted on March 4, 2026, found two instances of a hardcoded API key across two configuration files. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and maps to OWASP A07:2021 (Identification and Authentication Failures). The affected files are `config/env/development.js` and `config/env/test.js`. In both files, line 6 contains the hardcoded credential: `zapApiKey: "v9dn0balpqas1pcc281tn5ood1"`. The report states that hardcoded secrets in source code can be exposed if the code is leaked or accessed by unauthorized parties, compromising API keys, passwords, and other sensitive credentials. The scanner recommends removing hardcoded secrets from the source code and implementing secure alternatives such as environment variables, dedicated key management systems, or configuration files excluded from version control. The finding was automatically generated and can be dismissed by applying specific labels like `rsolv:false-positive` or `rsolv:accepted-risk`.
---
- **Source**: 
- **Sector**: The Network
- **Tags**: security, vulnerability, hardcoded, credentials, api-key
- **Credibility**: unverified
- **Published**: 2026-03-06 05:13:08
- **ID**: 2387
- **URL**: https://whisperx.ai/en/intel/2387