DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded OpenAI API key in source code SCT-1013

Secrets
Critical

Leaking an OpenAI API key in source code can cause severe security issues due to unauthorized access and usage of OpenAI resources. It can also lead to service abuse and exposure of sensitive data. If an API key has been leaked, you can revoke it through your OpenAI account settings to mitigate the vulnerability.

It is recommended to use environment variables to store the API key. This ensures that the key is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API key as it can be updated without modifying the source code.

Bad practice

import openai

openai.api_key = "sk-123456789abcdefghijkT3BlbkFJ123456789abcdefghijk"

Recommended

import openai
import os

openai.api_key = os.getenv('OPENAI_API_KEY')