Hugging Face's logo

Hub documentation

Secrets Scanning

Hugging Face's logo
Join the Hugging Face community

and get access to the augmented documentation experience

to get started

Secrets Scanning

It is important to manage your secrets (env variables) properly. The most common way people expose their secrets to the outside world is by hard-coding their secrets in their app.py files directly, which makes it possible for a malicious user to utilize your secrets and services your secrets have access to.

For example, this is what a compromised app.py file might look like:

import numpy as np
import scipy as sp

api_key = "sw-xyz1234567891213"

def call_inference(prompt: str) -> str:
    result = call_api(prompt, api_key)
    return result

To prevent this issue, we run an automated bot (Spaces Secrets Scanner) that scans for hard-coded secrets and opens a discussion (in case hard-coded secrets are found) about the exposed secrets & how to handle this problem.

< > Update on GitHub

Pickle Scanning Moderation