DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Secrets

Secrets

Made by DeepSource
Use Analyzer

Hardcoded Asana credentials in source code SCT-1037

Secrets
Critical

Hardcoding Asana credentials in the source code can expose them to potential attackers and can lead to unauthorized access to Asana resources. This can cause security breaches and lead to financial loss and damage to the reputation of the organization.

If Asana credentials have been leaked, it is recommended to revoke them immediately. Additionally, the impacted users should be notified to take necessary actions to secure their accounts.

To prevent this issue, it is recommended to use environment variables to store the Asana credentials. Storing the credentials separately from the codebase makes it harder for attackers to steal them and ensures that they are properly secured. It also makes it easier to manage the credentials as they can be updated without modifying the source code.

Bad practice

import asana

client = asana.Client.access_token("0/abcdef0123456789abcdef0123456789")

Recommended

import asana
import os

client = asana.Client.access_token(os.getenv('ASANA_ACCESS_TOKEN'))