Add rule to check for getting sensitive data from environment variable
Opened this issue · 0 comments
Is your feature request related to a problem? Please describe.
Check calls to os.getenv or os.environ to read sensitive data such as passwords or other secrets from environment variables
Describe the solution you'd like
As described in the CLI standard:
Do not read secrets from environment variables. While environment variables may be convenient for storing secrets, they have proven too prone to leakage:
- Exported environment variables are sent to every process, and from there can easily leak into logs or be exfiltrated
- Shell substitutions like curl -H "Authorization: Bearer $BEARER_TOKEN" will leak into globally-readable process state. (cURL offers the -H @filename alternative for reading sensitive headers from a file.)
- Docker container environment variables can be viewed by anyone with Docker daemon access via docker inspect
- Environment variables in systemd units are globally readable via systemctl show
Secrets should only be accepted via credential files, pipes, AF_UNIX sockets, secret management services, or another IPC mechanism.
For example:
https://github.com/openai/openai-python?tab=readme-ov-file#async-usage
Describe alternatives you've considered
n/a
Additional context
- https://docs.python.org/3/library/os.html#os.environ
- https://docs.python.org/3/library/os.html#os.putenv
- https://clig.dev/#environment-variables
- https://github.com/theskumar/python-dotenv
- https://dev.to/jakewitcher/using-env-files-for-environment-variables-in-python-applications-55a1
Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.