do not pass hardcoded credentials

Docs > Plateforme de sécurité Datadog > Code Security > Static Analysis (SAST) > SAST Rules > do not pass hardcoded credentials

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: python-security/sql-server-security-credentials

Language: Python

Severity: Error

Category: Security

Description

Hardcoding database credentials directly in your source code is a security risk as anyone with access to your source code and see your credentials. It’s strongly recommended to use a different approach that limits the exposure of your credentials.

Non-Compliant Code Examples

import psycopg2

conn = psycopg2.connect(database="db_name",
                        host="db_host",
                        user="db_user",
                        password="db_pass", # hardcoded password
                        port="db_port")

import mysql.connector

connection = mysql.connector.connect(
  host=host,
  user=user,
  passwd=f"password", # hardcoded password
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)

import mysql.connector

connection = mysql.connector.connect(
  host=host,
  user=user,
  passwd="password", # hardcoded password
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)

Compliant Code Examples

import mysql.connector

connection = mysql.connector.connect(
  host=host,
  user=user,
  passwd=password,
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)

import mysql.connector

connection = mysql.connector.another_function(
  host=host,
  user=user,
  passwd=f"password",
  database=database,
  charset='utf8mb4',
  use_pure=True,
  connection_timeout=5)