Hardcoded X.509/PFX certificate password
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
X509Certificate2 is constructed with a literal string as the private-key password instead of a value from configuration or a secret store, so the certificate's private key is protected by a password anyone reading the source already knows.
Why it matters
X509Certificate2 takes the private-key password as its second constructor argument; a string literal there means the certificate's private key is protected by a password that is visible to anyone reading the source, which defeats the purpose of password-protecting the key material in the first place.
How to fix it
Read the certificate password from configuration, an environment variable, or a secret store rather than embedding it as a literal, and prefer loading certificates from a platform certificate store (X509Store) or a managed key vault over a password-protected file on disk where your deployment target supports it.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo