semgrep-rules icon indicating copy to clipboard operation
semgrep-rules copied to clipboard
verified publisher icon semgrep

openai_api_key false positive

Open iportilla opened this issue 5 months ago • 3 comments

Describe the bug A clear and concise description of what the bug is. scan this sample code To Reproduce from flask import Flask, request, jsonify import openai import datetime

app = Flask(name) openai.api_key = "sk-123456789" # Hardcoded key

@app.route("/chat", methods=["POST"]) def chat(): user_input = request.json.get("message", "") response = openai.ChatCompletion.create( model="gpt-4", messages=[{"role": "user", "content": user_input}], ) return jsonify({"response": response["choices"][0]["message"]["content"]})

Expected behavior openai.api_key = "sk-123456789" # Hardcoded key

Screenshots If applicable, add screenshots to help explain your problem.

What is the priority of the bug to you?

  • [X] P0: blocking your adoption of Semgrep or workflow
  • [ ] P1: important to fix or quite annoying
  • [ ] P2: regular bug that should get fixed

Environment If not using semgrep.dev: are you running off docker, an official binary, a local build?

Use case What will fixing this bug enable for you?

iportilla avatar Jul 20 '25 13:07 iportilla

For reproduction purposes, what command did you use to scan the sample code?

ievans avatar Jul 21 '25 20:07 ievans

semgrep scan, but I was told that my license does not include secrets

iportilla avatar Jul 21 '25 21:07 iportilla

If you are not a secrets paying customer you can enable the gitleaks ruleset which has some coverage https://semgrep.dev/p/gitleaks but its outdated and does not cover the new syntax i believe for openai. PRs are welcome at https://github.com/semgrep/semgrep-rules -> https://github.com/semgrep/semgrep-rules/blob/f672cf35912e81b4f57265ab664942bf8f8b6e57/generic/secrets/gitleaks/openai-api-key.yaml

LewisArdern avatar Jul 22 '25 20:07 LewisArdern