Add check for hardcoded passwords in dicts. (#1338)

alanverresen · pre-commit-ci[bot] · web-flow · commit 649b9bdf87f4 · 2025-11-30T09:55:20.000-08:00
* Add check for hardcoded passwords in dicts. * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py
@@ -89,6 +89,18 @@ def hardcoded_password_string(context):
             ):
                 return _report(node.value)
 
+    elif (
+        isinstance(node._bandit_parent, ast.Dict)
+        and node in node._bandit_parent.keys
+        and RE_CANDIDATES.search(node.value)
+    ):
+        # looks for "{'candidate': 'some_string'}"
+        dict_node = node._bandit_parent
+        pos = dict_node.keys.index(node)
+        value_node = dict_node.values[pos]
+        if isinstance(value_node, ast.Constant):
+            return _report(value_node.value)
+
     elif isinstance(
         node._bandit_parent, ast.Subscript
     ) and RE_CANDIDATES.search(node.value):
diff --git a/examples/hardcoded-passwords.py b/examples/hardcoded-passwords.py
@@ -87,3 +87,19 @@ def __init__(self, auth_scheme, auth_token=None, auth_username=None, auth_passwo
     default='',
     secret=True,
 )
+
+# Possible hardcoded password: 'pass'
+# Severity: Low   Confidence: Medium
+# https://github.com/PyCQA/bandit/issues/313
+log({"server": server, "password": 'pass', "user": user})
+
+# ... but not:
+log({"server": server, "password": password, "user": user})
+
+# Possible hardcoded password: '12345'
+# Severity: Low   Confidence: Medium
+# https://github.com/PyCQA/bandit/issues/1267
+info = {"password": "12345"}
+
+# ... but not:
+info = {"password": password}
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -168,8 +168,8 @@ def test_exec(self):
     def test_hardcoded_passwords(self):
         """Test for hard-coded passwords."""
         expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 14, "MEDIUM": 0, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 14, "HIGH": 0},
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 16, "MEDIUM": 0, "HIGH": 0},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 16, "HIGH": 0},
         }
         self.check_example("hardcoded-passwords.py", expect)
 
