Invocation of Process Using Visible Sensitive Information in argparse

Do not read secrets directly from command line arguments. When a command accepts a secret like via a --password argument or --api-key, the argument value will leak the secret into ps output and shell history. This also encourages the use of insecure environment variables for secrets.

Example

import argparse


parser = argparse.ArgumentParser(
    prog='ProgramName',
    description='What the program does',
)
parser.add_argument(
    "-p",
    "--password",
    dest="password",
    action="store",
    help="password for the database",
)

Remediation

Consider accepting sensitive data only from an interactive hidden prompt or via files. A --password-file argument allows a secret to be passed in discreetly, in a wide variety of contexts.

import argparse


parser = argparse.ArgumentParser(
    prog='ProgramName',
    description='What the program does',
)
parser.add_argument(
    "-p",
    "--password",
    dest="password",
    action="store_true",
    help="password for the database",
)

See also

• argparse — Parser for command-line options, arguments and sub-commands
• CWE-214: Invocation of Process Using Visible Sensitive Information

New in version 0.3.14

Changed in version 0.4.1: --api-key also checked