Will It Vibe logoWill It Vibe?
CRYPTO-010Medium severity-8 points

Hardcoded cryptographic salt

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A salt is a string/byte literal. A shared static salt lets one rainbow table cover every hash and defeats per-value salting.

Why it matters

A shared static salt defeats the point of salting: one precomputed rainbow table covers every value, and identical inputs still produce identical hashes. For password storage this dramatically lowers cracking cost. For key derivation it lets an attacker reuse work across all your users.

How to fix it

Use a unique, randomly generated salt per value, produced by a cryptographic RNG and stored next to the resulting hash (password hashing libraries do this automatically). For key derivation with PBKDF2/scrypt/Argon2, pass a fresh random salt of at least 16 bytes. Never commit a salt as a literal.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks