Hardcoded credentials Critical

Access credentials, such as passwords and access keys, should not be hardcoded in source code. Hardcoding credentials may cause leaks even after removing them. This is because version control systems might retain older versions of the code. Credentials should be stored securely and obtained from the runtime environment.

Detector ID
python/hardcoded-credentials@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def create_session_noncompliant():
2    import boto3
3    # Noncompliant: uses hardcoded secret access key.
4    sample_key = "AjWnyxxxxx45xxxxZxxxX7ZQxxxxYxxx1xYxxxxx"
5    boto3.session.Session(aws_secret_access_key=sample_key)

Compliant example

1def create_session_compliant():
2    import boto3
3    import os
4    # Compliant: uses environment variable for secret access key.
5    sample_key = os.environ.get("AWS_SECRET_ACCESS_KEY")
6    boto3.session.Session(aws_secret_access_key=sample_key)