Python Package Index Key

Bridgecrew Policy ID: BC_GIT_61
Chekov Check ID: CKV_SECRET_61
Severity: LOW

Python Package Index Key

Description

The Python Package Index (PyPI) stores meta-data describing distributions packaged with distutils, as well as package data like distribution files if a package author wishes. PyPI lets you submit any number of versions of your distribution to the index. If you alter the meta-data for a particular version, you can submit it again and the index will be updated.

A PyPI API token is a string consisting of a prefix (pypi), a separator (-) and a macaroon serialized with PyMacaroonv2, which means it’s the base64 of:

Fix - Buildtime

PyPi

Some content managers run regexes to try and identify published secrets, and ideally have them deactivated. PyPI has started integrating with such systems in order to help secure packages. For more information see: https://warehouse.pypa.io/development/token-scanning.html?highlight=secrets#token-scanning