Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageSecrets detected in source codeSCT-1000Hardcoded Adafruit API key in source codeSCT-1011Hardcoded Alibaba credentials in source codeSCT-1036Hardcoded Asana credentials in source codeSCT-1037Hardcoded Clojars API token in source codeSCT-1040Hardcoded Databricks API token in source codeSCT-1045Hardcoded Dropbox credentials in source codeSCT-1058Hardcoded AWS access token in source codeSCT-1002Hardcoded Google Cloud Platform API key in source codeSCT-1003Hardcoded Stripe access token in source codeSCT-1005Hardcoded Slack access token in source codeSCT-1006Hardcoded GitHub token in source codeSCT-1008Hardcoded GitLab token in source codeSCT-1009Hardcoded Atlassian API token in source codeSCT-1010Hardcoded Adobe client ID/secret in source codeSCT-1012Hardcoded OpenAI API key in source codeSCT-1013Hardcoded Datadog access token in source codeSCT-1014Hardcoded DigitalOcean token in source codeSCT-1015Hardcoded Fastly API token in source codeSCT-1016Hardcoded Linear API key/client secret in source codeSCT-1018Hardcoded New Relic API key in source codeSCT-1019Hardcoded PlanetScale credentials in source codeSCT-1020Hardcoded Postman API token in source codeSCT-1021Hardcoded Twilio API key in source codeSCT-1022Hardcoded DeepSource Personal Access Token (PAT) in source codeSCT-1023Hardcoded Prefect API token in source codeSCT-1024Hardcoded Readme API token in source codeSCT-1028Hardcoded RubyGems API in source codeSCT-1029Hardcoded Sendbird API token in source codeSCT-1030Hardcoded Brevo (Formerly Sendinblue) API token in source codeSCT-1031Hardcoded DroneCI access token in source codeSCT-1033Hardcoded Airtable API key in source codeSCT-1034Hardcoded Algolia API key in source codeSCT-1035Hardcoded Beamer API token in source codeSCT-1038Hardcoded Bittrex credentials in source codeSCT-1039Hardcoded Codecov access token in source codeSCT-1041Hardcoded Coinbase access token in source codeSCT-1042Hardcoded Confluent credentials in source codeSCT-1043Hardcoded Contentful API token in source codeSCT-1044Hardcoded Discord credentials in source codeSCT-1046Hardcoded Doppler API token in source codeSCT-1047Hardcoded Sumologic API key in source codeSCT-1048Hardcoded Twitch API token in source codeSCT-1051Hardcoded Twitter API token in source codeSCT-1052Hardcoded Duffel API token in source codeSCT-1059Hardcoded Dynatrace API token in source codeSCT-1060Hardcoded EasyPost credentials in source codeSCT-1061Hardcoded Etsy access token in source codeSCT-1062Hardcoded Facebook access token in source codeSCT-1063Hardcoded Finicity credentials in source codeSCT-1064Hardcoded Finnhub access token in source codeSCT-1065Hardcoded Flickr access token in source codeSCT-1066Hardcoded Flutterwave credentials in source codeSCT-1067Hardcoded FreshBooks access token in source codeSCT-1069Hardcoded Slack web hook in source codeSCT-1007Hardcoded PyPI upload API token in source codeSCT-1026Hardcoded SendGrid API token in source codeSCT-1032Hardcoded Pulumi API token in source codeSCT-1025Hardcoded JavaScript Web Token in source codeSCT-1004Hardcoded HashiCorp Terraform API token in source codeSCT-1017Hardcoded Rapid API access token in source codeSCT-1027Hardcoded Telegram Bot API token in source codeSCT-1049Hardcoded TravisCI API key in source codeSCT-1050Hardcoded private key in source codeSCT-1001Hardcoded Frame.io API token in source codeSCT-1068Possible hardcoded secrets detected in source codeSCT-A000
Hardcoded HashiCorp Terraform API token in source codeSCT-1017
Critical
SecretsLeaking a HashiCorp Terraform API token in source code can cause severe security issues as it can give unauthorized access to critical infrastructure resources. Unauthorized access to infrastructure resources can lead to system outages, data breaches, and financial loss.
If an API token has been leaked, you can revoke the token to mitigate the vulnerability.
It is recommended to use environment variables to store the API token. This ensures that the token is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API token as it can be updated without modifying the source code. Additionally, it is recommended that access to the API token is restricted to only those who need it, by using Terraform Cloud's Team and User Permissions feature.
Bad practice
provider "azurerm" {
subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
Recommended
provider "azurerm" {
subscription_id = var.subscription_id
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
It is recommended to store the API token in an encrypted .tfvars file:
subscription_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
client_secret = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
tenant_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
And load it with the terraform command:
terraform apply -var-file="secrets.tfvars"