# Environment Variable Secret Exposure

- ID: go-env-vars-secret-exposure
- Severity: HIGH
- CWE: Information Exposure (CWE-200)
- Languages: Go
- Frameworks: stdlib, gin, echo, fiber, chi

## Description

Environment variables containing secrets flow to logs or HTTP responses.

## Detection Message

Environment variable from {source} is exposed through {sink}.
This may leak sensitive credentials (API keys, passwords, tokens).

## Remediation

Use environment variables for configuration only, never log or return them.

```go
apiKey := os.Getenv("API_KEY")
if apiKey == "" {
    log.Fatal("API_KEY not configured")
}
// Use apiKey internally, never log or return it
```

Learn more: https://shoulder.dev/learn/go/cwe-200/env-vars-secret-exposure

## Documentation

[object Object]

## Related Rules

- **LLM Model Theft** [HIGH]: 
- **LLM Sensitive Information Disclosure** [HIGH]: 
- **Sensitive Field Exposure in API Response** [CRITICAL]: 
- **Environment Variable Secret Exposure** [HIGH]: 
- **LLM Model Theft** [HIGH]: