Hardcoded credential-pair backdoor login
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A condition compares a username/email and a password against string literals joined by &&, a hardcoded backdoor login that bypasses the real user store.
Why it matters
Comparing a username and a password against string literals in one condition is a backdoor login: it grants access whenever someone supplies that exact pair, completely independent of the real user store. These are usually added for a demo or a test and then forgotten, and because the credentials are in the source, anyone who reads it can log in.
How to fix it
Delete the hardcoded credential check entirely and authenticate against your real user store with hashed passwords. If you need a seeded admin for first-run setup, create a normal account whose password comes from an environment variable or is generated and reset on first login. Never branch auth on a literal username/password pair.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo