I'm trying to deploy over OpenShift a React App made with "create-react-app", one of the pipeline's steps is a Veracode analysis. At this one my pipeline fails for "Use of Hard-coded Password" and the source viewer shows me this file, "ReactPropTypesSecret.js" which has the next line;
var ReactPropTypesSecret = "SECRET_DO_NOT_PASS_THIS_OR_YOU_WILL_BE_FIRED";
module.exports = ReactPropTypesSecret;
I don't know how to fix it...
Hard-coded password findings are challenging because the scanner has to make its best judgment about which variables might actually contain passwords, based on heuristics. Sometimes that leads the scanner to guess wrong.
(I'm guessing that the actual cause of this text was something like this Reddit post.)
Assuming you are doing a sandbox scan, the way to deal with these sorts of warnings from Veracode is to propose a mitigation and get someone to approve it (depending on your organization, it could be someone on your team or someone in security). Once the mitigation is approved, the next scan will show the line has an approved mitigation and it will not cause the scan to fail the pipeline.