The case against secrets in .env files

Most developers rely on.env files to store secrets like API keys, database passwords, and tokens. But what if I told you this common practice can leave you wide open to attacks?

In this video, I break down why storing secrets in a.env file is dangerous, how attackers can exploit it, and what safer alternatives you should be using instead.

Use Snyk for free to find and fix security issues in your applications today! https://snyk.co/ugLYn

✍️ Resources ✍️

• Jira MCP Hijack Post: https://x.com/mbrg0/status/1953932780855013682
• Crypto Extension Hack Post: https://x.com/0xzak/status/1955265807807545763
• Weaponizing AI Coding Agents Post: https://snyk.co/ujcke
• Shai-Hulud Supply Chain Attack Post: https://snyk.co/ujckf
• Compromised Open Source Maintainer Post: https://snyk.co/ujckg

⏲️ Chapters ⏲️

00:00 - Intro

01:03 - Why.env files are bad

01:56 - Safer alternatives

02:39 - Doppler demo

04:56 - How this works

07:16 - 1Password demo

10:00 - Why this is good

10:28 - 1Password in action

10:58 - Conclusion and outro

⚒️ About Snyk ⚒️

Snyk helps you find and fix vulnerabilities in your code, open-source dependencies, containers, infrastructure-as-code, software pipelines, IDEs, and more! Move fast, stay secure.

Learn more about Snyk: https://snyk.co/ugLYl

📱 Connect with Us 📱

🖥️ Website: https://snyk.co/ugLYl
🐦 X: http://twitter.com/snyksec
💼 LinkedIn: https://www.linkedin.com/company/snyk
💬 Discord: https://discord.gg/devsecops-community-918181751526948884

• ️ Subscribe: https://www.youtube.com/c/SnykSec
• 🔥 We're hiring! Check our open roles: https://snyk.co/ugLYp

🔗 Hashtags 🔗
#DevSecOps #aiCode #aiCoding #aiCodingTools #performance #test #ai #snyk #safety #development #environmentvariables #devops #secrets #secretemanagement