DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded Linear API key/client secret in source code SCT-1018

Secrets
Critical

Leaking a Linear API key or client secret in source code can cause severe security issues as it can give unauthorized access to Linear resources, which can result in exposure of sensitive data and intellectual property. Attackers can impersonate legitimate users, access sensitive data, and manipulate the data in the Linear organization. If a key or secret has been leaked, it is recommended to revoke the key/secret and regenerate a new one. Leaked tokens can also be revoked through the Linear API.

It is recommended to use environment variables to store the API key and client secret. This ensures that the key and secret are not hardcoded in the source code and are kept separate from the codebase. Using environment variables also makes it easier to manage the key and secret as they can be updated without modifying the source code.

Bad practice

import requests

BASE_URL = "https://api.linear.app/v1/"
API_KEY = "linear-api-key"
HEADERS = {
    "Authorization": f"Bearer {API_KEY}"
}

def get_issues():
    response = requests.get(BASE_URL + "issues", headers=HEADERS)
    return response.json()

Recommended

import requests
import os

BASE_URL = "https://api.linear.app/v1/"
API_KEY = os.getenv('LINEAR_API_KEY')
HEADERS = {
    "Authorization": f"Bearer {API_KEY}"
}

def get_issues():
    response = requests.get(BASE_URL + "issues", headers=HEADERS)
    return response.json()