API

use env vars over hardcoded values

Docs > Datadog Security > Code Security > Static Analysis (SAST) > SAST Rules > use env vars over hardcoded values

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: python-security/aws-boto-credentials

Language: Python

Severity: Notice

Category: Security

CWE: 798

Description

This rule makes sure that the boto3 library use the environments variables to authenticate instead of using hardcoded credentials. This rule checks for the boto3.client and boto3.Session calls. It addresses the CWE-798 rule - uses of hardcoded credentials in code.

Learn More

Non-Compliant Code Examples

from boto3 import client

cli = client(
    's3',
    aws_access_key_id="AGPAFOOBAR",
    aws_secret_access_key="bar",
    aws_session_token=SESSION_TOKEN
)

import boto3 

client = boto3.client(
    's3',
    aws_access_key_id="AGPAFOOBAR",
    aws_secret_access_key="bar",
    aws_session_token=SESSION_TOKEN
)

import boto3

client = boto3.Session(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token="foobar" # hard coded credential
)

Compliant Code Examples

import boto3

client = boto3.Session(
    's3',
    aws_session_token=SESSION_TOKEN
)

import boto3

client = boto3.client(
    's3',
    aws_session_token=SESSION_TOKEN
)

client = boto3.client(
    's3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN
)

How to use this rule

1
2
rulesets:
  - python-security     # Rules to enforce Python security.

Create a static-analysis.datadog.yml with the content above at the root of your repository
Use our free IDE Plugins or add Code Security scans to your CI pipelines
Get feedback on your code

For more information, please read the Code Security documentation

VS Code Extension

Identify code vulnerabilities directly in your
VS Code editor

JetBrains Plugin

Identify code vulnerabilities directly in
JetBrains products