NCC Group has released a new open source tool called Code Credential Scanner (CCS), to help dev teams detect hardcoded credentials, or credentials present in configuration files within a repository – a serious security issue that can be extremely hard to detect and manage.

According to a blog post, the tool is intended to be used directly by dev teams in a CI/CD pipeline, to manage the remediation process for this issue by alerting the team when credentials are present in the code, so that the team can immediately fix issues as they arise; an example github action is provided to illustrate how this can be configured. Since the tool runs on a local filesystem, it can also be run ad-hoc to detect credentials in local files.

The script is written in python and requires no external dependencies. When run without parameters, it attempts to return only the most serious results, and reduce the number of false-positives (at the inevitable cost of false-negatives). Alternatively, it can be run in a more verbose mode to return usernames, email addresses and similar, in addition to passwords and keys.

CCS is now available for download.