Secrets detected in source code SCT-1000

Secrets should never be checked into source code. Ideally, they should be injected into the runtime and then the values should be picked from there.

Examples of secrets are SSH keys, API keys and secrets (AWS or Stripe APIs, for example), database credentials etc.

Bad practice

In the sample Python code below, the secrets have been hardcoded:

key = "12345azan+/ryGUuk"

Recommended

Ideally, this should be picked from the environment, like:

key = os.getenv("SECRET_KEY")