Skip to main content

Sensitive Information in Source Code


Avoid exposure of sensitive data


  • Usage of Elixir (1.10 and above) for building scalable and fault-tolerant applications
  • Usage of generic packages or server types


Non compliant code

defmodule MySensitiveInfo do
@password 'sensitive_password'
@api_key 'API_KEY'

The source code contains sensitive data, including a password and an API key, hardcoded in the code. This is a bad practice as it exposes sensitive information directly in the source code, making it accessible to anyone who can access this code.


  • Delete all hardcoded sensitive information from the source code.
  • Change all affected access credentials where these have been exposed.
  • Remove sensitive information from git logs if the code has been previously committed.
  • Use environment variables or a secure key vault service to manage sensitive data.

Compliant code

defmodule MySensitiveInfo do
@password System.get_env('PASSWORD')
@api_key System.get_env('API_KEY')

The revised code now retrieves sensitive data from environment variables, which are set outside of the application and not exposed in the source code. This avoids the direct exposure of sensitive information in the source code.