IP addresses hardcoded in source code couple the application to a specific infrastructure configuration. Today’s services have an ever-changing architecture due to their scaling and redundancy needs. When an IP address changes, every hardcoded occurrence must be found and updated, which has an impact on development, delivery, and deployment:
Hardcoding an IP address embeds infrastructure configuration directly into the application. This means any change to the network environment—such as moving a service to a different host or scaling horizontally—requires a code modification and a full redeployment. Unlike a domain name, a hardcoded address also makes it harder to use different values across environments such as development, staging, and production.
A hardcoded IP address is the same in every environment the application runs in. This makes it difficult to point development, staging, and production builds at different infrastructure without modifying the source code.
Any change to the target host—such as migrating a service, scaling out, or rotating infrastructure—requires a code change and a full redeployment cycle. This prevents operational teams from making infrastructure adjustments independently and slows down incident response.
No issue is reported for the following well-known, special-purpose addresses, as they do not represent configurable infrastructure endpoints:
2.5.<number>.<number> as they often match
Object Identifiers (OID)The following code contains a hardcoded IP address instead of reading it from configuration or environment variables.
ip = '192.168.12.42' # Noncompliant sock = socket.socket() sock.bind((ip, 9090))
ip = config.get(section, ipAddress) sock = socket.socket() sock.bind((ip, 9090))