A hard-coded secret has been found in your code. You should quickly list where this secret is used, revoke it, and then change it in every system that uses it.

Passwords, secrets, and any type of credentials should only be used to authenticate a single entity (a person or a system).

If you allow third parties to authenticate as another system or person, they can impersonate legitimate identities and undermine trust within the organization.
It does not matter if the impersonation is malicious: In either case, it is a clear breach of trust in the system, as the systems involved falsely assume that the authenticated entity is who it claims to be.
The consequences can be catastrophic.

Keeping credentials in plain text in a code base is tantamount to sharing that password with anyone who has access to the source code and runtime servers.
Thus, it is a breach of trust, as these individuals have the ability to impersonate others.

Secret management services are the most efficient tools to store credentials and protect the identities associated with them.
Cloud providers and on-premise services can be used for this purpose.

If storing credentials in a secret data management service is not possible, follow these guidelines:

Noncompliant Code Example

import org.h2.security.SHA256;

String inputString = "s3cr37";
byte[] key         = inputString.getBytes();

SHA256.getHMAC(key, message);  // Noncompliant

Compliant Solution

Using AWS Secrets Manager:

import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueResponse;
import org.h2.security.SHA256;

public static void doSomething(SecretsManagerClient secretsClient, String secretName) {
  GetSecretValueRequest valueRequest = GetSecretValueRequest.builder()
    .secretId(secretName)
    .build();

  GetSecretValueResponse valueResponse = secretsClient.getSecretValue(valueRequest);
  String secret                        = valueResponse.secretString();

  byte[] key = secret.getBytes();
  SHA256.getHMAC(key, message);
}

Using Azure Key Vault Secret:

import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
import org.h2.security.SHA256;

public static void doSomething(SecretClient secretClient, String secretName) {
  KeyVaultSecret retrievedSecret = secretClient.getSecret(secretName);
  String secret = retrievedSecret.getValue();

  byte[] key = secret.getBytes();
  SHA256.getHMAC(key, message);
}

See