DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded GitHub token in source code SCT-1008

Secrets
Critical

GitHub allows generating many types of tokens, like app tokens, OAuth tokens, Personal Access Tokens (PATs), fine-grained PATs, and refresh tokens. Leaking a GitHub token in source code can cause severe security issues as it can give unauthorized access to GitHub resources, which can result in a data breach and financial loss due to unauthorized utilization of GitHub resources.

If a token has been leaked, you can revoke the token to mitigate the vulnerability. Also, if you're using GitHub Actions, it is recommended to use GitHub's provided secrets instead of environment variables. Not hardcoding the secret in code also makes it easier to manage the token as it can be updated without modifying the source code. Additionally, it is recommended that access to the token is restricted to only those who need it, by using appropriate scopes.

Bad practice

import requests

headers = {
    'Authorization': 'Bearer ghp_0123456789abcdefghijklmnopqr'
}

response = requests.get('https://api.github.com/user', headers=headers)

Recommended

import requests
import os

headers = {
    'Authorization': f'Bearer {os.getenv("GITHUB_TOKEN")}'
}

response = requests.get('https://api.github.com/user', headers=headers)