Do not read secrets directly from command line arguments. When a command
accepts a secret like via a --password argument or --api-key, the argument
value will leak the secret into ps output and shell history. This also
encourages the use of insecure environment variables for secrets.
Example
| argparse_add_argument_password.py |
|---|
| import argparse
parser = argparse.ArgumentParser(
prog="ProgramName",
description="What the program does",
)
parser.add_argument(
"-u",
"--user",
dest="user",
action="store",
help="user for the database",
)
parser.add_argument(
"-p",
"--password",
dest="password",
action="store",
help="password for the database",
)
|
Example Output
> precli tests/unit/rules/python/stdlib/argparse/examples/argparse_add_argument_password.py
⛔️ Error on line 8 in argparse_add_argument_password.py
PY027: Invocation of Process Using Visible Sensitive Information
Secrets in CLI arguments are leaked to command history, logs, ps output, etc.
Consider accepting sensitive data only from an interactive hidden prompt or
via files. A --password-file argument allows a secret to be passed in
discreetly, in a wide variety of contexts.
| argparse_add_argument_password.py |
|---|
| import argparse
parser = argparse.ArgumentParser(
prog='ProgramName',
description='What the program does',
)
parser.add_argument(
"-p",
"--password",
dest="password",
action="store_true",
help="password for the database",
)
|
Default Configuration
enabled = true
level = "error"
sensitive_arguments = [
"--api-key",
"--password",
"--token"
]
See also
New in version 0.3.14
Changed in version 0.4.1: --api-key also checked