> ## Documentation Index > Fetch the complete documentation index at: https://docs.codeant.ai/llms.txt > Use this file to discover all available pages before exploring further. # Secrets

Database passwords should not be disclosed

```secrets Bad theme={null} public static string ConnectionString = "server=database-server;uid=user;pwd=P@ssw0rd;database=ProductionData"; ``` ```secrets Fix theme={null} public static string ConnectionString = String.format( "server=database-server;uid=user;pwd=%s;database=ProductionData", System.getenv("DB_PASSWORD") ) ```

Google Cloud service accounts keys should not be disclosed

```secrets Bad theme={null} { "type": "service_account", "project_id": "example-project", "private_key_id": "2772b8e6f42dc67369b98f0b91694f7805b28844", "private_key": "-----BEGIN PRIVATE KEY-----\nKBww9jggAgBEHBCBAASIMDsoCBAuAQINAgFAGSXQTkiAE0cEIkoQghJAqGavB/r3\n2W6raHa1Qrfj6pii5U2Ok53SxCyK3TxYc3Bfxq8orZeYC9LQ/I3tz7w4/BnT71AD\nfP1i8SWHsRMIicSuVFcRoYMA+A1eNSmdrujdBNWgedfuSyHbPnNY7s8BBUIoBN7I\n8gJG5DUUKAZfZDB2c/n7Yu0=\n-----END PRIVATE KEY-----\n", "client_email": "example@example.iam.gserviceaccount.example.com", "client_id": "492539091821492546176", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/example%40example.iam.gserviceaccount.example.com", "universe_domain": "googleapis.com" } ``` ```secrets Fix theme={null} ```

PostgreSQL database passwords should not be disclosed

```secrets Bad theme={null} uri = "postgres://foouser:foopass@example.com/testdb" ``` ```secrets Fix theme={null} import os user = os.environ["PG_USER"] password = os.environ["PG_PASSWORD"] uri = f"postgres://{user}:{password}@example.com/testdb" ```

Shippo tokens should not be disclosed

```secrets Bad theme={null} Shippo.setApiKey('shippo_live_258d9b4c41a8cb88ca7fb4b12c65083f658435ac'); // Noncompliant HashMap addressMap = new HashMap(); addressMap.put("name", "Mr. Hippo"); addressMap.put("company", "Shippo"); addressMap.put("street1", "215 Clayton St."); addressMap.put("city", "San Francisco"); addressMap.put("state", "CA"); addressMap.put("zip", "94117"); addressMap.put("country", "US"); addressMap.put("phone", "+1 555 341 9393"); addressMap.put("email", "support@goshipppo.com"); Address createAddress = Address.create(addressMap); ``` ```secrets Fix theme={null} Shippo.setApiKey(System.getenv("SHIPPO_API_TOKEN")); HashMap addressMap = new HashMap(); addressMap.put("name", "Mr. Hippo"); addressMap.put("company", "Shippo"); addressMap.put("street1", "215 Clayton St."); addressMap.put("city", "San Francisco"); addressMap.put("state", "CA"); addressMap.put("zip", "94117"); addressMap.put("country", "US"); addressMap.put("phone", "+1 555 341 9393"); addressMap.put("email", "support@goshipppo.com"); Address createAddress = Address.create(addressMap); ```

OpenWeather API keys should not be disclosed

```secrets Bad theme={null} url = "http://api.openweathermap.org/data/2.5/weather?units=imperial&appid=ae73acab47d0fc4b71b634d943b00518&q=" ``` ```secrets Fix theme={null} import os token = os.environ["OW_TOKEN"] uri = "http://api.openweathermap.org/data/2.5/weather?units=imperial&appid={token}&q=" ```

Grafana tokens should not be disclosed

```secrets Bad theme={null} import requests token = 'glsa_geygSnIfuK5vBG0KgaflRCQfIb8mzaM7_b0999d91' # Noncompliant response = requests.get('https://grafana.example.org/api/dashboards/home', headers={ 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' }) ``` ```secrets Fix theme={null} import requests token = os.getenv('GRAFANA_SERVICE_ACCOUNT_TOKEN') response = requests.get('https://grafana.example.org/api/dashboards/home', headers={ 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' }) ```

Django secret keys should not be disclosed

```secrets Bad theme={null} SECRET_KEY = 'r&lvybzry1*k+qq)=x-!=0yd5l5#1gxzk!82@ru25*ntos3_9^' ``` ```secrets Fix theme={null} import os SECRET_KEY = os.environ["SECRET_KEY"] ```

SSH private keys should not be disclosed

```secrets Bad theme={null} String key = """ -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACDktj2RM1D2wRTQ0H+YZsFqnAuZrqBNEB4PpJ5xm73nWwAAAJgJVPFECVTx RAAAAAtzc2gtZWQyNTUxOQAAACDktj2RM1D2wRTQ0H+YZsFqnAuZrqBNEB4PpJ5xm73nWw AAAECQ8Nzp6a1ZJgS3SWh2pMxe90W9tZVDZ+MZT35GjCJK2uS2PZEzUPbBFNDQf5hmwWqc C5muoE0QHg+knnGbvedbAAAAFGdhZXRhbmZlcnJ5QFBDLUwwMDc3AQ== -----END OPENSSH PRIVATE KEY-----"""; ``` ```secrets Fix theme={null} String key = System.getenv("SSH_KEY"); ```

PyPI tokens should not be disclosed

```secrets Bad theme={null} [pypi] username = __token__ password = pypi-YBf3ZAIKOMPwNZ1VaQ0RAtjww5lI1az1CMLEOWgDQN56EPADfzRmgsENVcmIUh2mSBwYlTtyNKGmVlLm2MZD2aJOTWmD2EO5PMyWjvUY3Ii2CjsidALCNCNmvX8N8gcijBliFN2ciBCLgQdi2YYfGjA1kz19z1UBKg ``` ```secrets Fix theme={null} pip config set --global global.keyring-provider subprocess ```

Hashicorp tokens should not be disclosed

```secrets Bad theme={null} import hvac client = hvac.Client(url='https://vault.example.com', token='hvb.AAAAAQJyBEVF-vTWUrg0hcoIPuvKjjNxXXZ5MfsYVg2gJ0fGZpVi0IGTFfh4TqsoQIWaocNRXD1qzGXvhIHWJBM_rWU9YJY8sXOYVy_s1JAHasXJwGmZ_fBLJfSG6aCwQkCGwtAhYw') # Noncompliant secret = client.secrets.kv.v2.read_secret_version(path='secret/myapp') data = secret['data'] username = data.get('username') password = data.get('password') ``` ```secrets Fix theme={null} import hvac client = hvac.Client(url='https://vault.example.com', token=os.environ.get('VAULT_TOKEN')) secret = client.secrets.kv.v2.read_secret_version(path='secret/myapp') data = secret['data'] username = data.get('username') password = data.get('password') ```

DigitalOcean tokens should not be disclosed

```secrets Bad theme={null} require 'droplet_kit' token = 'dop_v1_1adc4095c3c676ff1c31789a1a86480195a5b3d955010c94fcfa554b34640e1e' # Noncompliant client = DropletKit::Client.new(access_token: token) ``` ```secrets Fix theme={null} require 'droplet_kit' token = ENV['DIGITALOCEAN_TOKEN'] client = DropletKit::Client.new(access_token: token) ```

MongoDB database passwords should not be disclosed

```secrets Bad theme={null} uri = "mongodb://foouser:foopass@example.com/testdb" ``` ```secrets Fix theme={null} import os user = os.environ["MONGO_USER"] password = os.environ["MONGO_PASSWORD"] uri = f"mongodb://{user}:{password}@example.com/testdb" ```

WakaTime tokens should not be disclosed

```secrets Bad theme={null} from rauth import OAuth2Service service = OAuth2Service( client_id='d130uKF73fueZSCM9tUodIFN', client_secret='waka_sec_ez0kI3tQlYVvYSJOAjoI5n3PpyG69HQl91TZKFjSdb0X0XXgY7dahXiPpAhYL2kNxqDBzHuHNuzCPr5d', # Noncompliant name='wakatime', authorize_url='https://wakatime.com/oauth/authorize', access_token_url='https://wakatime.com/oauth/token', base_url='https://wakatime.com/api/v1/') ``` ```secrets Fix theme={null} import os from rauth import OAuth2Service service = OAuth2Service( client_id=os.environ['WAKA_CLIENT_ID'], client_secret=os.environ['WAKA_CLIENT_SECRET'], name='wakatime', authorize_url='https://wakatime.com/oauth/authorize', access_token_url='https://wakatime.com/oauth/token', base_url='https://wakatime.com/api/v1/') ```

Azure Storage Account Keys should not be disclosed

```secrets Bad theme={null} using Azure.Storage.Blobs; using Azure.Storage; class Example { static void Main(string[] args) { string account = "accountname"; string accountKey = "4dVw+l0W8My+FwuZ08dWXn+gHxcmBtS7esLAQSrm6/Om3jeyUKKGMkfAh38kWZlItThQYsg31v23A0w/uVP4pg=="; // Noncompliant StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey); BlobServiceClient blobServiceClient = new BlobServiceClient( new Uri($"https://{account}.blob.core.windows.net"), sharedKeyCredential); } } ``` ```secrets Fix theme={null} using System; using Azure.Storage.Blobs; using Azure.Storage; class Example { static void Main(string[] args) { string account = Environment.GetEnvironmentVariable("ACCOUNT_NAME"); string accountKey = Environment.GetEnvironmentVariable("ACCOUNT_KEY"); StorageSharedKeyCredential sharedKeyCredential = new StorageSharedKeyCredential(account, accountKey); BlobServiceClient blobServiceClient = new BlobServiceClient( new Uri($"https://{account}.blob.core.windows.net"), sharedKeyCredential); } } ```

Cryptographic private keys should not be disclosed

```secrets Bad theme={null} private_key = "-----BEGIN EC PRIVATE KEY-----" \ "MF8CAQEEGEfVxjrMPigNhGP6DqH6DPeUZPbaoaCCXaAKBggqhkjOPQMBAaE0AzIA" \ "BCIxho34upZyXDi/AUy/TBisGeh4yKJN7pit9Z+nKs4QajVy97X8W9JdySlbWeRt" \ "2w==" \ "-----END EC PRIVATE KEY-----" ``` ```secrets Fix theme={null} with open("/path/to/private.key","r") as key_file: private_key = key_file.read() ```

Figma tokens should not be disclosed

```secrets Bad theme={null} import requests token = 'figd_OLDXZWOP4fxW4c9ER0xzxRda96M-f0eFwZpFQjHJ' # Noncompliant response = requests.get('https://api.figma.com/v1/me', headers={ 'X-FIGMA-TOKEN': token, 'Content-Type': 'application/json' }) ``` ```secrets Fix theme={null} import requests token = os.getenv('FIGMA_PERSONAL_ACCESS_TOKEN') response = requests.get('https://api.figma.com/v1/me', headers={ 'X-FIGMA-TOKEN': token, 'Content-Type': 'application/json' }) ```

Yandex tokens should not be disclosed

```secrets Bad theme={null} import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk'; const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi; const session = new Session({ iamToken: 't1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg' }); // Noncompliant const cloudService = session.client(serviceClients.CloudServiceClient); const response = await cloudService.list(ListCloudsRequest.fromPartial({ pageSize: 100, })); ``` ```secrets Fix theme={null} import { Session, cloudApi, serviceClients } from '@yandex-cloud/nodejs-sdk'; const { resourcemanager: { cloud_service: { ListCloudsRequest } } } = cloudApi; const session = new Session({ iamToken: process.env.YANDEX_TOKEN }); const cloudService = session.client(serviceClients.CloudServiceClient); const response = await cloudService.list(ListCloudsRequest.fromPartial({ pageSize: 100, })); ```

Clarifai API keys should not be disclosed

```secrets Bad theme={null} from clarifai_grpc.grpc.api.status import status_code_pb2 metadata = (('authorization','Key d819f799b90bc8dbaffd83661782dbb7'),) ``` ```secrets Fix theme={null} import os from clarifai_grpc.grpc.api.status import status_code_pb2 metadata = (('authorization',os.environ["CLARIFAI_API_KEY"]),) ```

Postman tokens should not be disclosed

```secrets Bad theme={null} const axios = require('axios'); const apiKey = 'PMAK-6502e63761882f002a69f0cb-6d9bc58cd0cc60ff5547f81cf2ca141bb9'; // Noncompliant const options = { method: 'get', url: 'https://api.getpostman.com/me', headers: { 'Content-Type': 'application/json', 'X-API-Key': apiKey } }; (async() => { await axios(options); })(); ``` ```secrets Fix theme={null} const axios = require('axios'); const apiKey = process.env.POSTMAN_API_KEY; const options = { method: 'get', url: 'https://api.getpostman.com/me', headers: { 'Content-Type': 'application/json', 'X-API-Key': apiKey } }; (async() => { await axios(options); })(); ```

MySQL database passwords should not be disclosed

```secrets Bad theme={null} uri = "mysql://foouser:foopass@example.com/testdb" ``` ```secrets Fix theme={null} import os user = os.environ["MYSQL_USER"] password = os.environ["MYSQL_PASSWORD"] uri = f"mysql://{user}:{password}@example.com/testdb" ```

Shopify tokens should not be disclosed

```secrets Bad theme={null} import requests token = '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' # Noncompliant response = requests.get('https://test-shop.myshopify.com/admin/api/2021-07/shop.json', headers={ 'X-Shopify-Access-Token': token, 'Content-Type': 'application/json' }) ``` ```secrets Fix theme={null} import requests token = os.getenv('SHOPIFY_ACCESS_TOKEN') response = requests.get('https://test-shop.myshopify.com/admin/api/2021-07/shop.json', headers={ 'X-Shopify-Access-Token': token, 'Content-Type': 'application/json' }) ```

Typeform tokens should not be disclosed

```secrets Bad theme={null} import requests token = 'tfp_DEueEgDipkmx52r7rgU5EC7VC5K2MzzsR61ELEkqmh3Y_3mJqwKJ2vtfX5N' # Noncompliant response = requests.get('https://api.typeform.com/forms', headers={ 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' }) ``` ```secrets Fix theme={null} import requests token = os.getenv('TYPEFORM_PERSONAL_ACCESS_TOKEN') response = requests.get('https://api.typeform.com/forms', headers={ 'Authorization': f'Bearer {token}', 'Content-Type': 'application/json' }) ```

NPM access tokens should not be disclosed

```secrets Bad theme={null} steps: - run: | npm install - env: NPM_TOKEN: npm_tCEMceczuiTXKQaBjGIaAezYQ63PqI972ANG ``` ```secrets Fix theme={null} steps: - run: | npm install - env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} ```

Docker Hub tokens should not be disclosed

```secrets Bad theme={null} steps: - name: Login to DockerHub uses: docker/login-action@v2 with: username: mobythewhale password: dckr_pat_cq7wQZcv9xZkVlxMhDTcTV00CDo ``` ```secrets Fix theme={null} steps: - name: Login to DockerHub uses: docker/login-action@v2 with: username: ${{ secrets.dockerUsername }} password: ${{ secrets.dockerAccessToken }} ```