Hardcoded cryptographic salt
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A salt is a string/byte literal. A shared static salt lets one rainbow table cover every hash and defeats per-value salting.
Why it matters
A shared static salt defeats the point of salting: one precomputed rainbow table covers every value, and identical inputs still produce identical hashes. For password storage this dramatically lowers cracking cost. For key derivation it lets an attacker reuse work across all your users.
How to fix it
Use a unique, randomly generated salt per value, produced by a cryptographic RNG and stored next to the resulting hash (password hashing libraries do this automatically). For key derivation with PBKDF2/scrypt/Argon2, pass a fresh random salt of at least 16 bytes. Never commit a salt as a literal.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo