DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded Alibaba credentials in source code SCT-1036

Secrets
Critical

Hardcoding Alibaba credentials such as access key IDs and secret keys in source code can lead to unauthorized access of Alibaba Cloud resources. This can result in critical security breaches and financial losses. It is recommended to use environment variables to store such credentials instead of hardcoding them in the source code. This ensures that the credentials are kept separate from the codebase and can be updated without modifying the source code.

Example of bad practice

import alibabacloud_credentials

ACCESS_KEY_ID = 'LTAI4F*****************'
ACCESS_KEY_SECRET = '6f7V*****************'

client = alibabacloud_client.AcsClient(
    ACCESS_KEY_ID,
    ACCESS_KEY_SECRET,
    'cn-hangzhou'
)

Recommended approach

import os
import alibabacloud_credentials

ACCESS_KEY_ID = os.getenv('ALIBABA_CLOUD_ACCESS_KEY_ID')
ACCESS_KEY_SECRET = os.getenv('ALIBABA_CLOUD_ACCESS_KEY_SECRET')

client = alibabacloud_client.AcsClient(
    ACCESS_KEY_ID,
    ACCESS_KEY_SECRET,
    'cn-hangzhou'
)