Will It Vibe logoWill It Vibe?
CSHARP-018Medium severity-8 points

Hardcoded X.509/PFX certificate password

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

X509Certificate2 is constructed with a literal string as the private-key password instead of a value from configuration or a secret store, so the certificate's private key is protected by a password anyone reading the source already knows.

Why it matters

X509Certificate2 takes the private-key password as its second constructor argument; a string literal there means the certificate's private key is protected by a password that is visible to anyone reading the source, which defeats the purpose of password-protecting the key material in the first place.

How to fix it

Read the certificate password from configuration, an environment variable, or a secret store rather than embedding it as a literal, and prefer loading certificates from a platform certificate store (X509Store) or a managed key vault over a password-protected file on disk where your deployment target supports it.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks