Secrets

Secrets

By DeepSource

Secrets detected in source codeSCT-1000

Security

Secrets should never be checked into source code. Ideally, they should be injected into the runtime and then the values should be picked from there.

Examples of secrets are SSH keys, API keys and secrets (AWS or Stripe APIs, for example), database credentials etc.

Examples

Bad practice

In the sample Python code below, the secrets have been hardcoded:

key = "12345azan+/ryGUuk"

Recommended

Ideally, this should be picked from the environment, like:

key = os.getenv("SECRET_KEY")