That can be corrected because hard coding passwords fail the government secure coding policies. So if the contractor hard coded then they failed the quality requirement. So it gets them into a fun for the public catch22.

The most effective method is to have continuous development through an open source structure so any failures where someone hard codes sensitive info in source get found quickly.