Proj0302: Credentials should be injected

Credentials should not be exposed in repositories for obvious reasons. ClearTextPassword is the least preferable way to authenticate to a NuGet feed. At least make sure the credentials are not verbatim in the NuGet.config, but are injected into the config by an environment variable.

Non-compliant 

 <configuration>
  <packageSourceCredentials>
    <SomeKey>
      <add key="Username" value="Admin" />
      <add key="ClearTextPassword" value="33f!!lloppa" />
    </SomeKey>
  </packageSourceCredentials>
</configuration>

Compliant 

 <configuration>
  <packageSourceCredentials>
    <SomeKey>
      <add key="Username" value="Admin" />
      <add key="ClearTextPassword" value="%SOME_PLACEHOLDER%" />
    </SomeKey>
  </packageSourceCredentials>
</configuration>

Edit this page on GitHub.