AgileFlow

Secrets & Cryptography

PreviousNext

Secrets and cryptography analyzer for hardcoded credentials, weak crypto algorithms, insecure randomness, and debug mode exposure

Secrets & Cryptography

The Security Analyzer: Secrets & Cryptography is a specialized security analyzer focused on secrets management and cryptographic vulnerabilities. It finds hardcoded credentials, weak cryptographic practices, and insecure configuration defaults that could compromise the application.

When to Use

Use this agent when:

  • You need to find hardcoded API keys, passwords, or database credentials in source code
  • You want to identify weak cryptographic algorithms (MD5, SHA1, DES, RC4, ECB mode)
  • You're checking for insecure randomness used in security-sensitive operations (tokens, nonces)
  • You need to detect debug mode or verbose error output in production configuration
  • You want to find disabled TLS verification or insecure defaults
  • You're checking for encryption keys stored alongside the data they protect
  • You need to verify .gitignore covers sensitive files

How It Works

  1. Reads target code - Focuses on configuration files, crypto/hashing functions, token generation, API client initialization, and environment variable patterns
  2. Identifies patterns - Looks for hardcoded credentials, weak algorithms (MD5, SHA1, DES), Math.random() for security, debug flags, disabled TLS, and insecure defaults
  3. Reports findings - Generates structured findings with specific locations, severity levels, exploitation scenarios, and suggested fixes
  4. Validates practices - Checks for use of secure libraries (bcrypt, argon2, libsodium) and proper environment variable usage

Focus Areas

  • Hardcoded API keys/passwords/tokens: Credentials embedded in source code instead of environment variables
  • Weak cryptographic algorithms: MD5, SHA1, DES, RC4, ECB mode for encryption (not just hashing — hashing for checksums is fine)
  • Insecure randomness: Math.random(), random.random() used for security-sensitive operations (tokens, IDs, nonces)
  • Debug mode in production: Debug flags, verbose error output, development settings in production config
  • Insecure defaults: Default passwords, disabled TLS verification, permissive security settings
  • Keys alongside encrypted data: Encryption keys stored next to the data they protect
  • Missing .gitignore entries: Sensitive files (.env, credentials) not excluded from version control
  • Small key sizes: RSA < 2048 bits, AES < 128 bits, HMAC with short secrets

Tools Available

This agent has access to: Read, Glob, Grep

Example Analysis

Given this code:

// VULN: API key hardcoded in source
const stripe = require('stripe')('sk_live_abc123def456');
 
// VULN: Predictable token generation
const resetToken = Math.random().toString(36).substring(2);
 
// VULN: Debug mode enabled in production
app.use(errorHandler({ debug: true }));

The Secrets & Cryptography analyzer would identify:

Finding: Hardcoded Stripe API key

Location: config/payment.ts:3 Severity: CRITICAL Confidence: HIGH CWE: CWE-798 (Use of Hard-Coded Credentials) OWASP: A02:2021 Cryptographic Failures

Issue: Live Stripe API key is embedded directly in source code. Any attacker with access to the repository can use this key to charge customers and access payment data.

Exploit Scenario:

  • Attack: Clone repository from GitHub, extract API key, use it to make charges or refund transactions
  • Impact: Financial fraud, unauthorized charges, data breach

Remediation:

// SAFE: Load credentials from environment variables
const stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);
// In .env: STRIPE_SECRET_KEY=sk_live_abc123def456

Finding: Predictable password reset token

Location: auth/reset.ts:12 Severity: CRITICAL Confidence: HIGH CWE: CWE-330 (Use of Insufficiently Random Values) OWASP: A02:2021 Cryptographic Failures

Issue: Math.random() produces predictable values that are not suitable for security tokens. Attackers can generate valid reset tokens for arbitrary users.

Exploit Scenario:

  • Attack: Generate reset tokens using Math.random(), reset victim's password
  • Impact: Account takeover without knowledge of original password

Remediation:

// SAFE: Use cryptographically secure random
const crypto = require('crypto');
const resetToken = crypto.randomBytes(32).toString('hex');

Best Practices

  • Store all credentials in environment variables, not in code (use .env files locally, environment variables in production)
  • Never commit .env or credential files to version control (add to .gitignore)
  • Use bcrypt, scrypt, or argon2 for password hashing
  • Use AES-256-GCM for symmetric encryption (not DES, RC4, or ECB mode)
  • Use RSA-2048 or better for asymmetric encryption
  • Use crypto.randomBytes() or crypto.getRandomValues() for security-sensitive random values
  • Disable debug mode in production (use NODE_ENV === 'production' checks)
  • Enable TLS certificate verification by default
  • Rotate credentials regularly, especially after code exposure
  • Scan dependencies for credential patterns (tools like git-secrets, detect-secrets)

Output Format

For each potential issue, the agent provides:

  • Location: Exact file path and line number
  • Severity: CRITICAL (credential exposure), HIGH (weak crypto), MEDIUM (insecure default), LOW (hardening)
  • Confidence: HIGH, MEDIUM, or LOW
  • CWE: Standard CWE identifier
  • OWASP: OWASP Top 10 category
  • Code: Relevant code snippet
  • Issue: Clear explanation of the cryptographic weakness or secrets exposure
  • Exploit Scenario: How an attacker could exploit this with expected impact
  • Remediation: Specific fix with code example

Example Usage

Task(
  description: "Audit secrets and cryptography",
  prompt: "Review all configuration files and authentication code for hardcoded credentials, weak algorithms, and insecure randomness.",
  subagent_type: "agileflow-security-analyzer-secrets"
)

Related Agents