Hard-coded passwords are currently detected in limited set of cases (cf RSPEC).
3 cases might be evaluated and maybe added:
- Macros: they are very often used as global variable, especially in C.
- For function calls, we could apply the rule to names of parameters (which are a sort of variable). This could catch hard-coded credentials in calls.
- Still for the case of hard-coded credentials in function calls. Some libraries/frameworks do something like set(PASSWD, "secret)". So maybe flagging, such function calls with enum named with "passwd" and literals could work.