Hardcoded Atlassian API token in source code SCT-1010

Leaking an Atlassian API token in source code can cause severe security issues as it can give unauthorized access to Atlassian resources, which can result in a data breach and financial loss due to unauthorized utilization of Atlassian resources. If an API token has been leaked, you can revoke your API token to mitigate the vulnerability.

It is recommended to use environment variables to store the API key. This ensures that the key is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API key as it can be updated without modifying the source code. Additionally, it is recommended that access to the API key is restricted to only those who need it, by using IAM roles and permissions.

Bad practice

import requests

API_TOKEN = "HARDCODED_APP_TOKEN"
headers = {
    'Authorization': f'Bearer {API_TOKEN}',
    'Content-Type': 'application/json'
}

def create_issue(issue_data):
    response = requests.post(
        url="https://api.atlassian.com/ex/jira/{cloud_id}/rest/api/3/issue",
        headers=headers,
        json=issue_data
    )
    return response.json()

Recommended

import requests
import os

API_TOKEN = os.getenv('ATLASSIAN_API_TOKEN')
headers = {
    'Authorization': f'Bearer {API_TOKEN}',
    'Content-Type': 'application/json'
}

def create_issue(issue_data):
    response = requests.post(
        url="https://api.atlassian.com/ex/jira/{cloud_id}/rest/api/3/issue",
        headers=headers,
        json=issue_data
    )
    return response.json()