Description
The file libs/SalesforceSDKCore/SalesforceSDKCoreTests/JwtAccessTokenTests.swift contains a hardcoded JWT token (testRawJwt) that includes:
A signed JWT with header, payload, and signature
A client_id value (3MVG9.AgwtoIvERSd8i8lePrqfs7CazRx2llbL8ubNoG6R3HsYomQFRpbayaMH4HtzH3zj0NDEmC0PIohw0Pf)
References to a test Salesforce org (mobilesdkatsdb6.test1.my.pc-rnd.salesforce.com)
Impact
Static application security testing (SAST) / AppSec scanners (e.g., Gitleaks, Checkmarx) flag this as an exposed secret (hardcoded JWT credential) in any downstream project that vendors the SDK. Even though this appears to be a test token for an internal Salesforce test environment, it triggers security findings for consumers of this SDK.
Recommendation
Replace the hardcoded JWT with a dynamically generated test token using a test-only signing key, OR
Move the test JWT to an environment variable / test fixture file excluded from secret scanning, OR
Add a .gitleaks.toml / inline allowlist annotation indicating this is a non-sensitive test fixture
Environment
SDK Version: v13.0.0
File: libs/SalesforceSDKCore/SalesforceSDKCoreTests/JwtAccessTokenTests.swift (line 33)
Scanner: Gitleaks (JWT detection rule)
Additional Context
This is surfaced in downstream mobile apps that vendor the SDK as a git submodule under SalesforceMobileSDK-iOS. The security finding blocks release pipelines even though the token is clearly a test artifact for a non-production Salesforce org.
Description
The file libs/SalesforceSDKCore/SalesforceSDKCoreTests/JwtAccessTokenTests.swift contains a hardcoded JWT token (testRawJwt) that includes:
A signed JWT with header, payload, and signature
A client_id value (3MVG9.AgwtoIvERSd8i8lePrqfs7CazRx2llbL8ubNoG6R3HsYomQFRpbayaMH4HtzH3zj0NDEmC0PIohw0Pf)
References to a test Salesforce org (mobilesdkatsdb6.test1.my.pc-rnd.salesforce.com)
Impact
Static application security testing (SAST) / AppSec scanners (e.g., Gitleaks, Checkmarx) flag this as an exposed secret (hardcoded JWT credential) in any downstream project that vendors the SDK. Even though this appears to be a test token for an internal Salesforce test environment, it triggers security findings for consumers of this SDK.
Recommendation
Replace the hardcoded JWT with a dynamically generated test token using a test-only signing key, OR
Move the test JWT to an environment variable / test fixture file excluded from secret scanning, OR
Add a .gitleaks.toml / inline allowlist annotation indicating this is a non-sensitive test fixture
Environment
SDK Version: v13.0.0
File: libs/SalesforceSDKCore/SalesforceSDKCoreTests/JwtAccessTokenTests.swift (line 33)
Scanner: Gitleaks (JWT detection rule)
Additional Context
This is surfaced in downstream mobile apps that vendor the SDK as a git submodule under SalesforceMobileSDK-iOS. The security finding blocks release pipelines even though the token is clearly a test artifact for a non-production Salesforce org.