Hardcoded Sumologic API key in source codeSCT-1048

Leaking a Sumologic API key in source code can cause severe security issues as it can give unauthorized access to Sumologic resources, which can result in a data breach and financial loss due to utilization of Sumologic resources.

If an API key has been leaked, you should immediately revoke access to mitigate the vulnerability.

It is recommended to use environment variables to store the API key. This ensures that the key is not hardcoded in the source code and is kept separate from the codebase. Using environment variables also makes it easier to manage the API key as it can be updated without modifying the source code. Additionally, it is recommended that access to the API key is restricted to only those who need it, by using IAM roles and permissions.

Bad practice

import requests

# Hardcoded Sumologic API key
api_key = 'YOUR_API_KEY'

def send_logs(logs, api_url):
    url = api_url
    headers = {
        'Authorization': f'Bearer {api_key}',
        'Content-Type': 'application/json'
    }
    response = requests.post(url, headers=headers, json=logs)
    if response.status_code == 200:
        return True
    return False

Recommended

import requests
import os

api_key = os.getenv('SUMOLOGIC_API_KEY')

def send_logs(logs, api_url):
    url = api_url
    headers = {
        'Authorization': f'Bearer {api_key}',
        'Content-Type': 'application/json'
    }
    response = requests.post(url, headers=headers, json=logs)
    if response.status_code == 200:
        return True
    return False