By DeepSource

Audit required: Sensitive data might be exposed PTC-W1006

Security a05 cwe-798 sans top 25 owasp top 10

A potential sensitive data is being exposed in the source code. It can compromise the security of application/user. It is recommended to encrypt this data. Anyone who has access to the source code can use sensitive data. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. Also hardcoding data makes it difficult to change the password for the operational side.

It is recommended to put sensitive values either in a separate (uncommitted, gitignored) configuration file, or pull them in from environment variables. The first is easier if you're self-hosting; the latter is the norm if you use e.g. Heroku or similar platform that deploys from a repository.

Bad practice

username = "james"
token = "auenfejadldadjakf"


import os

username = os.getenv("username")
token = os.environ.get("secret_key", "default_key")  # getting value from env variable. No issue.