no-secrets-in-env
Detects secrets defined directly in environment variable configurations. This rule is part of [`eslint-plugin-lambda-security`](https://www.npmjs.com/package/es
Keywords: secrets, environment variables, Lambda, CWE-798, security, hardcoded secrets
Detects secrets defined directly in environment variable configurations. This rule is part of eslint-plugin-lambda-security.
⚠️ This rule errors by default in the recommended config.
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-798 (Use of Hard-coded Credentials) |
| Severity | 🔴 Critical |
| Auto-Fix | ✅ Yes (suggests Secrets Manager) |
| Category | Security |
| Best For | Lambda configurations, CDK/SAM/Serverless definitions |
Vulnerability and Risk
Vulnerability: Secrets hardcoded in Lambda environment variable configurations are exposed in:
- CloudFormation templates
- AWS Console (visible to anyone with Lambda access)
- Deployment logs
- Version control
Risk: Credential exposure leads to unauthorized access to databases, APIs, and other services.
Examples
❌ Incorrect
// CDK - Hardcoded secrets in environment - VULNERABLE
new lambda.Function(this, 'Handler', {
environment: {
DATABASE_PASSWORD: 'super_secret_password',
API_KEY: 'sk-1234567890abcdef',
},
});
// SAM/CloudFormation template
// Environment:
// Variables:
// SECRET_KEY: "hardcoded-secret-value"✅ Correct
// CDK - Use Secrets Manager - SAFE
const secret = secretsmanager.Secret.fromSecretNameV2(
this,
'DbSecret',
'prod/db/password',
);
new lambda.Function(this, 'Handler', {
environment: {
SECRET_ARN: secret.secretArn,
},
});
// Reference secret in Lambda code
const {
SecretsManagerClient,
GetSecretValueCommand,
} = require('@aws-sdk/client-secrets-manager');
async function getSecret() {
const client = new SecretsManagerClient({});
const response = await client.send(
new GetSecretValueCommand({ SecretId: process.env.SECRET_ARN }),
);
return response.SecretString;
}Options
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Allow in test files |
{
"rules": {
"lambda-security/no-secrets-in-env": "error"
}
}Best Practices
Use AWS Secrets Manager
// Store secrets in Secrets Manager, reference by ARN
environment: {
DB_SECRET_ARN: 'arn:aws:secretsmanager:us-east-1:123456789:secret:prod/db';
}Use AWS Systems Manager Parameter Store
// For less sensitive configuration
environment: {
CONFIG_PARAM: '/prod/app/config';
}Related Rules
no-hardcoded-credentials-sdk- AWS SDK credentialsno-env-logging- Logging environment variables
Known False Negatives
The following patterns are not detected due to static analysis limitations:
Secrets from Variables
Why: Values stored in variables are not analyzed.
// ❌ NOT DETECTED - Secret from variable
const dbPassword = 'super_secret_password';
new lambda.Function(this, 'Handler', {
environment: { DATABASE_PASSWORD: dbPassword },
});Mitigation: Use Secrets Manager references. Never store secrets in variables.
Secrets from External Files
Why: Values imported from config files are not visible.
// ❌ NOT DETECTED - Secret from config
import { secrets } from './secrets.json';
environment: {
API_KEY: secrets.apiKey;
}Mitigation: Apply rule to config files. Use Secrets Manager.
Construct Props Spreading
Why: Spread operator hides actual values.
// ❌ NOT DETECTED - Environment from spread
const envVars = getEnvironmentConfig();
new lambda.Function(this, 'Handler', {
environment: { ...envVars }, // May contain secrets
});Mitigation: Explicitly define environment variables.
SSM Parameter Values
Why: Parameter values resolved at deploy time are not checked.
// ❌ NOT DETECTED - SSM value at deploy time
const param = ssm.StringParameter.valueForStringParameter(this, '/prod/secret');
environment: {
SECRET: param;
} // Value is secret at deployMitigation: Use dynamic SSM resolution at runtime instead.
Resources
Error Message Format
The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:
🔒 CWE-798 OWASP:A04 CVSS:9.8 | Hardcoded Credentials detected | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF]
Fix: Review and apply the recommended fix | https://owasp.org/Top10/A04_2021/Message Components
| Component | Purpose | Example |
|---|---|---|
| Risk Standards | Security benchmarks | CWE-798 OWASP:A04 CVSS:9.8 |
| Issue Description | Specific vulnerability | Hardcoded Credentials detected |
| Severity & Compliance | Impact assessment | CRITICAL [SOC2,PCI-DSS,HIPAA,GDPR,ISO27001,NIST-CSF] |
| Fix Instruction | Actionable remediation | Follow the remediation steps below |
| Technical Truth | Official reference | OWASP Top 10 |