Secrets Scanning

It is important to manage your secrets (env variables) properly. The most common way people expose their secrets to the outside world is by hard-coding their secrets in their app.py files directly, which makes it possible for a malicious user to utilize your secrets and services your secrets have access to.

For example, this is what a compromised app.py file might look like:

Copied

import numpy as np
import scipy as sp

api_key = "sw-xyz1234567891213"

def call_inference(prompt: str) -> str:
    result = call_api(prompt, api_key)
    return result

To prevent this issue, we run an automated bot (Spaces Secrets Scanner) that scans for hard-coded secrets and opens a discussion (in case hard-coded secrets are found) about the exposed secrets & how to handle this problem

PreviousPickle Scanning NextModeration

Last updated 10 months ago