Configure "Hardcoded Password and Cryptographic Key" policy

  • Updated


In Contrast Security version 3.8.8, the Assess rules for Hardcoded Password and Hardcoded Cryptographic Key have been disabled for onboarded applications. (bulletin here)  All applications onboarded after this release will have these two Assess rules turned off by default but can be re-enabled by following this documentation.

IMPORTANT: This update to Contrast will not affect any existing applications.  This change only affects applications onboarded with or after the release of Contrast v3.8.8.  If you wish to disable these rules on your existing applications, the same instructions can be used by toggling these rules off instead.  

Main steps

You will do the following in this guide:

  1. Navigate to Policy Management
  2. Configure the default policy
  3. Search for the rules
  4. Enable the rules

This guide assumes you have:

  • Access to the Contrast Teamserver UI
  • Admin permissions to edit Assess rules policies


  1. Navigate to Policy Management

Click on your username in the top right corner to bring up the Contrast settings, then select Policy Management (figure 1). Assess Rules should be displayed.  If not, select Assess Rules in the left-hand menu.


  1. Configure the default policy

Click on the Configure the default policy text to navigate to the Assess Rules Defaults settings.



  1. Search for “hardcoded” to narrow down the ruleset
    1. Use the dropdown menu to select All (Figure 3).
    2. Search for the word hardcoded. 
    3. You will see two rules as a result. 
    4. Notice that the two rules have been turned off in all three environments.


  1. Enable rules by environment

Click on the toggle buttons for each rule in each environment desired.  As an example, we have enabled both rules in Development and QA but kept the rules off in our Production environment 



  1. Save your changes

Click the small grey x in the top right corner of the Assess Rules Defaults pane to save your updated settings.  All onboarded applications will now have these rules enabled in the specified environments.



Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request