Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageSecrets detected in source codeSCT-1000Hardcoded Adafruit API key in source codeSCT-1011Hardcoded Alibaba credentials in source codeSCT-1036Hardcoded Asana credentials in source codeSCT-1037Hardcoded Clojars API token in source codeSCT-1040Hardcoded Databricks API token in source codeSCT-1045Hardcoded Dropbox credentials in source codeSCT-1058Hardcoded AWS access token in source codeSCT-1002Hardcoded Google Cloud Platform API key in source codeSCT-1003Hardcoded Stripe access token in source codeSCT-1005Hardcoded Slack access token in source codeSCT-1006Hardcoded GitHub token in source codeSCT-1008Hardcoded GitLab token in source codeSCT-1009Hardcoded Atlassian API token in source codeSCT-1010Hardcoded Adobe client ID/secret in source codeSCT-1012Hardcoded OpenAI API key in source codeSCT-1013Hardcoded Datadog access token in source codeSCT-1014Hardcoded DigitalOcean token in source codeSCT-1015Hardcoded Fastly API token in source codeSCT-1016Hardcoded Linear API key/client secret in source codeSCT-1018Hardcoded New Relic API key in source codeSCT-1019Hardcoded PlanetScale credentials in source codeSCT-1020Hardcoded Postman API token in source codeSCT-1021Hardcoded Twilio API key in source codeSCT-1022Hardcoded DeepSource Personal Access Token (PAT) in source codeSCT-1023Hardcoded Prefect API token in source codeSCT-1024Hardcoded Readme API token in source codeSCT-1028Hardcoded RubyGems API in source codeSCT-1029Hardcoded Sendbird API token in source codeSCT-1030Hardcoded Brevo (Formerly Sendinblue) API token in source codeSCT-1031Hardcoded DroneCI access token in source codeSCT-1033Hardcoded Airtable API key in source codeSCT-1034Hardcoded Algolia API key in source codeSCT-1035Hardcoded Beamer API token in source codeSCT-1038Hardcoded Bittrex credentials in source codeSCT-1039Hardcoded Codecov access token in source codeSCT-1041Hardcoded Coinbase access token in source codeSCT-1042Hardcoded Confluent credentials in source codeSCT-1043Hardcoded Contentful API token in source codeSCT-1044Hardcoded Discord credentials in source codeSCT-1046Hardcoded Doppler API token in source codeSCT-1047Hardcoded Sumologic API key in source codeSCT-1048Hardcoded Twitch API token in source codeSCT-1051Hardcoded Twitter API token in source codeSCT-1052Hardcoded Duffel API token in source codeSCT-1059Hardcoded Dynatrace API token in source codeSCT-1060Hardcoded EasyPost credentials in source codeSCT-1061Hardcoded Etsy access token in source codeSCT-1062Hardcoded Facebook access token in source codeSCT-1063Hardcoded Finicity credentials in source codeSCT-1064Hardcoded Finnhub access token in source codeSCT-1065Hardcoded Flickr access token in source codeSCT-1066Hardcoded Flutterwave credentials in source codeSCT-1067Hardcoded FreshBooks access token in source codeSCT-1069Hardcoded Slack web hook in source codeSCT-1007Hardcoded PyPI upload API token in source codeSCT-1026Hardcoded SendGrid API token in source codeSCT-1032Hardcoded Pulumi API token in source codeSCT-1025Hardcoded JavaScript Web Token in source codeSCT-1004Hardcoded HashiCorp Terraform API token in source codeSCT-1017Hardcoded Rapid API access token in source codeSCT-1027Hardcoded Telegram Bot API token in source codeSCT-1049Hardcoded TravisCI API key in source codeSCT-1050Hardcoded private key in source codeSCT-1001Hardcoded Frame.io API token in source codeSCT-1068Possible hardcoded secrets detected in source codeSCT-A000
Hardcoded Confluent credentials in source codeSCT-1043
Critical
SecretsUsing hardcoded Confluent credentials in source code can pose a security risk as it can give unauthorized access to Confluent resources such as Kafka clusters, schema registries, and ksqlDB. This can result in a data breach and financial loss due to unauthorized utilization of Confluent resources.
If the credentials have been leaked, it is recommended to rotate your credentials to mitigate the vulnerability.
To avoid this issue, it is recommended to use environment variables to store the Confluent credentials. This ensures that the credentials are not hardcoded in the source code and are kept separate from the codebase. Using environment variables also makes it easier to manage the credentials as they can be updated without modifying the source code. Additionally, it is recommended that access to the credentials is restricted to only those who need it, by using Confluent access control lists (ACLs).
Bad practice
from confluent_kafka import Producer
conf = {
'bootstrap.servers': 'localhost',
'sasl.username': 'my_username',
'sasl.password': 'my_password',
'security.protocol': 'SASL_SSL',
'sasl.mechanism': 'PLAIN',
}
p = Producer(conf)
p.produce('my_topic', key='key', value='value')
Recommended
from confluent_kafka import Producer
import os
conf = {
'bootstrap.servers': 'localhost',
'sasl.username': os.getenv('CONFLUENT_USERNAME'),
'sasl.password': os.getenv('CONFLUENT_PASSWORD'),
'security.protocol': 'SASL_SSL',
'sasl.mechanism': 'PLAIN',
}
p = Producer(conf)
p.produce('my_topic', key='key', value='value')