> ## Documentation Index
> Fetch the complete documentation index at: https://support.locker.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Guideline: Remove leaked secrets from source code

> How to detect and remove hardcoded secrets from your software source code.

Version 02. Updates:

* Invoke-WebRequest link
* For secrets stored in source code
* For secrets stored in configuration files

Storing sensitive data directly in source code (secrets hardcoding) is a security vulnerability. Through accidental source code exposure, or server-side file reading attacks, these secrets can be collected by attackers, who can then gain unauthorized access to related systems.

Therefore, this insecure storage practice must be strictly avoided during software development. Below is how to detect and remove secrets from your project's source code safely with Locker Secrets Manager.

### Install Locker CLI

<Tabs>
  <Tab title="Windows">
    ```powershell theme={null}
    Start-Process powershell -Verb runAs
    New-Item -Path "$HOME\.locker" -ItemType Directory -Force
    Invoke-WebRequest -Uri "https://locker.io/secrets/download/cli-windows" -OutFile "$HOME\.locker\locker.exe"
    $oldPath = [System.Environment]::GetEnvironmentVariable("Path", [System.EnvironmentVariableTarget]::Machine)
    $newPath = "$oldPath;$HOME\.locker"
    [System.Environment]::SetEnvironmentVariable("Path", $newPath, [System.EnvironmentVariableTarget]::Machine)
    ```
  </Tab>

  <Tab title="Linux">
    ```bash theme={null}
    mkdir -p ~/.locker
    wget https://locker.io/secrets/download/cli-linux -O ~/.locker/locker
    chmod +x ~/.locker/locker
    sudo ln -sf ~/.locker/locker /usr/local/bin/locker
    ```
  </Tab>

  <Tab title="macOS (arm)">
    ```bash theme={null}
    mkdir -p ~/.locker
    wget https://locker.io/secrets/download/cli-mac-arm64 -O ~/.locker/locker
    chmod +x ~/.locker/locker
    sudo ln -sf ~/.locker/locker /usr/local/bin/locker
    ```
  </Tab>

  <Tab title="macOS (x64)">
    ```bash theme={null}
    mkdir -p ~/.locker
    wget https://locker.io/secrets/download/cli-mac-x64 -O ~/.locker/locker
    chmod +x ~/.locker/locker
    sudo ln -sf ~/.locker/locker /usr/local/bin/locker
    ```
  </Tab>
</Tabs>

### Detect Secrets in your project

Use the `scan` command as follows:

```bash theme={null}
locker scan --source <path-to-source-code>
```

You will get results including: the file path containing secrets, the secret value found, the line number containing the secret, the secret type, and the commit hash.

<img src="https://mintcdn.com/locker/QUgTEfHYF1luiq3D/images/en/locker-secrets-manager/get-started/scan-result.png?fit=max&auto=format&n=QUgTEfHYF1luiq3D&q=85&s=00d0460af3d1eab50eaf997e22595f97" alt="Locker scan command results" width="728" height="562" data-path="images/en/locker-secrets-manager/get-started/scan-result.png" />

### Change to a secure way of storing Secrets

With the findings from the scan, you will need to change how they are stored more securely instead of hardcoding.

**Initialize a project on Locker Secrets**

* Create a Locker Secrets account here if you don't have one yet.
* Create a new project, corresponding to the project that contains your secrets.
* Create an Access Key in the Project. This is the key pair you will use for the Locker SDK in the following steps.

### For secrets stored in source code

With a small number of secrets stored in source code, you can manually update them by following these steps:

1. Add the corresponding hardcoded secrets to the Locker Secrets Project you just created through the web interface.
2. Install the Secrets SDK corresponding to the language you are using here.
3. Use the Access Key and Secret Access Key pair above to initialize in the SDK Config object.
4. Manually find the location where your secret is hardcoded, then replace it by using the SDK to call the corresponding secret variable that was previously stored.

<Note>
  The automatic secrets update feature is being developed and will be available in upcoming versions.
</Note>

**Example with Python**

Suppose you have a `settings.py` file with hardcoded values as follows:

```python theme={null}
# ...
DEFAULT_CONFIG = {
  "database": {
    "host": "mysql.myserver.com",
    "port": 3306,
    "username": "my_database",
    "password": "Ol1PPgsG4htlBb0q7THJP7nWyBJXbAJg"
  },
  "request": {
    "access_key_id": "ak29NASAs",
    "secret_token": "qHg34VAGQZwCkUy4UjZQAsCVeH6TvsJg"
  }
}
# ...
```

Locker CLI has detected hardcoding at the following lines:

```python theme={null}
"password": "Ol1PPgsG4htlBb0q7THJP7nWyBJXbAJg"
...
"secret_token": "qHg34VAGQZwCkUy4UjZQAsCVeH6TvsJg"
```

You will need to create the corresponding secrets on the Locker Project through the web interface as follows:

```
DATABASE_PASSWORD: Ol1PPgsG4htlBb0q7THJP7nWyBJXbAJg
REQUEST_SECRET_TOKEN: qHg34VAGQZwCkUy4UjZQAsCVeH6TvsJg
```

Install the Locker Secret SDK and replace the hardcoding by using the SDK.

`requirements.txt`

```
...
lockerpm
...
```

Store your Locker Access Key pair using environment variables:

<Tabs>
  <Tab title="Linux/macOS">
    ```bash theme={null}
    export ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
    export SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
    ```
  </Tab>

  <Tab title="Windows (Powershell)">
    ```powershell theme={null}
    $Env:ACCESS_KEY_ID = '<YOUR_ACCESS_KEY_ID>'
    $Env:SECRET_ACCESS_KEY = '<SECRET_ACCESS_KEY>'
    ```
  </Tab>

  <Tab title="Windows (Command Prompt)">
    ```cmd theme={null}
    set ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID>
    set SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>
    ```
  </Tab>
</Tabs>

Declare and initialize the Locker Secret Manager object:

`secret_management.py`

```python theme={null}
import os
from locker import Locker

client = Locker(
    access_key_id=os.get_env(ACCESS_KEY_ID),
    secret_access_key=os.get_env(SECRET_ACCESS_KEY),
)
```

Replace the hardcoding by using the SDK to call variables:

`settings.py`

```python theme={null}
from secret_management import client
# ...
DEFAULT_CONFIG = {
  "database": {
    "host": "mysql.myserver.com",
    "port": 3306,
    "username": "my_database",
    "password": client.get("DATABASE_PASSWORD"),
  },
  "request": {
    "access_key_id": "ak29NASAs",
    "secret_token": client.get("REQUEST_SECRET_TOKEN")
  }
}
# ...
```

With a large number of secrets, you can use the `scan fix` option. This option will upload all of your secrets to the corresponding Locker project, and automatically replace the secrets in the source code by using the SDK:

1. Store the Locker Access Key pair using environment variables (same as above).
2. Use the `scan fix` command:

```bash theme={null}
locker scan fix --source <path-to-source-code> --language <program-language>
```

3. Review your source code to ensure the secrets are called and used for their intended purpose.

<Note>
  Currently, the scan fix option is only supported for the Python language. Other languages will be added in the near future.
</Note>

**Example with the scan fix command:**

After using the `locker scan fix --source . --language python` command, the secrets will be automatically uploaded to the project with incrementally named keys like `SECRET1`, `SECRET2` and a Locker SDK instance will be initialized:

`secret_manager.py`

```python theme={null}
import os
from locker import Locker
locker_client = Locker(
    access_key_id=os.getenv("LOCKER_ACCESS_KEY_ID"),
    secret_access_key=os.getenv("LOCKER_SECRET_ACCESS_KEY")
)
```

`settings.py`

```python theme={null}
from secret_management import locker_client
# ...
DEFAULT_CONFIG = {
  "database": {
    "host": "mysql.myserver.com",
    "port": 3306,
    "username": "my_database",
    "password": locker_client.get("SECRET1"),
  },
  "request": {
    "access_key_id": "ak29NASAs",
    "secret_token": locker_client.get("SECRET2")
  }
}
# ...
```

### For secrets stored in environment variable files

1. Check whether the environment variable file is necessary for the project. If not, proceed to delete this environment variable file.
2. If your project needs the secrets in this environment variable file, configure Locker with the Access Key pair you created using the command:

```bash theme={null}
locker configuration --access-key-id {access key id} --secret-access-key {secret access key}
```

3. Save the secret to the Locker Secret Vault:

```bash theme={null}
locker secret create --key {secret key} --value {secret value} --description {secret description (optional)} --environment {secret environment}
```

4. Use the `locker secret run` command to run your project with the stored secrets:

```bash theme={null}
locker secret run --environment dev --command your_command
```

The `locker run` command will inject the secrets from a specified environment as environment variables into your program's run command.

5. Delete the secrets stored in your environment variable file.

### For secrets stored in configuration files

1. Configure Locker CLI with the Access Key and Secret Key pair you created earlier:

```bash theme={null}
locker configuration --access-key-id {YOUR_ACCESS_KEY_ID} --secret-access-key {YOUR_SECRET_ACCESS_KEY}
```

2. Based on the scan results, identify the configuration file containing your secrets, then use Locker CLI to import these secrets to the project:

```bash theme={null}
locker secret import --source {CONFIG_FILE_LOCATION}
```

3. If your program uses secrets stored in the configuration file, replace the part of the source code that uses this config file with the Locker SDK.