# Cleartext Storage of Sensitive Information in an Environment Variable (CWE-526)

The product uses environment variables to store sensitive information, but the environment is accessible to other processes or users.

- Prevalence: Medium 1 language covered
- Impact: High 1 high-severity rules
- Prevention: Documented 1 fix examples

**OWASP:** Security Misconfiguration (A05:2021-Security Misconfiguration) - #5

## Description

Environment variables are often visible to child processes and may be logged or exposed through error messages. Storing sensitive information like credentials in environment variables can lead to information disclosure.

## Prevention

### Go

Never log or expose environment variables containing secrets

## Consequences

- Read Application Data
- Gain Privileges

## Mitigations

- Use dedicated secret management systems
- Encrypt sensitive values before storing in environment variables
- Limit access to the process environment

## Detection

- Total rules: 1
- Languages: go

## Rules by Language

### Go (1 rules)

- **Environment Variable Exposure** [HIGH]: Environment variables logged or included in HTTP responses.
  - Remediation: Use environment variables for configuration only, never log or expose them.

```go
dbURL := os.Getenv("DATABASE_URL")
// Use dbURL for connection only
// Never log it: log.Printf("DB: %s", dbURL) // Wrong!
```

Learn more: https://shoulder.dev/learn/go/cwe-526/env-var-exposure