A curated and comprehensive list of common secrets and sensitive environment variables to help developers identify and secure secrets stored in environment variables.
🦄🔒 Awesome list of secrets in environment variables 🖥️
This repository is used by developers, security engineers, and DevOps professionals to understand which environment variables commonly hold secrets such as API keys, tokens, and passwords. It serves as a reference to audit, detect, and improve secrets management practices by avoiding direct storage of sensitive information in environment variables or mitigating their exposure.
Storing secrets directly in environment variables can expose them to attackers through exploits such as the Log4j JNDI vulnerability (CVE-2021-44228). It is recommended to use environment variables to store encrypted values or paths to configuration files instead of raw secrets. Monitoring and blocking suspicious requests containing environment variable data via WAFs can help prevent leaks.
dir env:
Command to list all environment variables on Windows PowerShell.
printenv
Command to print all environment variables on Linux/MacOS terminals.
env
Alternative command to print all environment variables on Linux/MacOS terminals.