fuzzforge_ai/backend/toolbox/modules/android/custom_rules/hardcoded-secrets.yaml

rules:
  - id: hardcoded-secrets
    severity: WARNING
    languages: [java]
    message: "Possible hardcoded secret found in variable '$NAME'."
    metadata:
      authors:
        - Guerric ELOI (FuzzingLabs)
      owasp-mobile: M2
      category: secrets
      verification-level: [L1]
    paths:
      include:
        - "**/*.java"
    patterns:
      - pattern-either:
          - pattern: 'String $NAME = "$VAL";'
          - pattern: 'final String $NAME = "$VAL";'
          - pattern: 'private String $NAME = "$VAL";'
          - pattern: 'public static String $NAME = "$VAL";'
          - pattern: 'static final String $NAME = "$VAL";'
      - pattern-regex: "$NAME =~ /(?i).*(api|key|token|secret|pass|auth|session|bearer|access|private).*/"