Close Open Privacy Scan

bolt Snapshot: commit ecd48e2
science engine v3
schedule 2026-07-10T19:15:46.373411+00:00

verified_user Application data leak confirmed

High-confidence data exfiltration identified in application code.

App Privacy Score

0 /100
High privacy risk — application leak confirmed

High risk · 4779 finding(s)

Dependency score: 0 (High risk)

bar_chart Score Breakdown

pii_flow −60
telemetry −25
egress −15
env_fs −3

list Scan Summary

35 high 125 medium 4619 low
First-party packages: 3
Dependency packages: 81
Ecosystem: python

swap_horiz Confirmed data exfiltration in application code

External domains: api.bing.microsoft.comapi.elevenlabs.ioapi.firecrawl.devapi.microsoft.aiapi.mistral.aiapi.openwebui.comapi.perplexity.aidocling:5001github.comgraph.microsoft.comlogin.microsoftonline.compackages.unstructured.iotika:9998{FONT_LOC}

high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:184 repo/backend/open_webui/config.py:188
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:184 repo/backend/open_webui/config.py:196
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:184 repo/backend/open_webui/config.py:205
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:69 repo/backend/open_webui/retrieval/loaders/datalab_marker.py:71
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 repo/backend/open_webui/retrieval/loaders/datalab_marker.py:112
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 repo/backend/open_webui/retrieval/loaders/datalab_marker.py:147
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/external_document.py:45 repo/backend/open_webui/retrieval/loaders/external_document.py:62
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/main.py:195 repo/backend/open_webui/retrieval/loaders/main.py:197
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:52 repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:70
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:216 repo/backend/open_webui/retrieval/loaders/mineru.py:239
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:331 repo/backend/open_webui/retrieval/loaders/mineru.py:341
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:45 repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:61
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/tavily.py:61 repo/backend/open_webui/retrieval/loaders/tavily.py:67
high first-party (npm) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/models/external.py:43 repo/backend/open_webui/retrieval/models/external.py:49
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:184 repo/backend/open_webui/config.py:188
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:184 repo/backend/open_webui/config.py:196
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:184 repo/backend/open_webui/config.py:205
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:69 repo/backend/open_webui/retrieval/loaders/datalab_marker.py:71
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 repo/backend/open_webui/retrieval/loaders/datalab_marker.py:112
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 repo/backend/open_webui/retrieval/loaders/datalab_marker.py:147
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/external_document.py:45 repo/backend/open_webui/retrieval/loaders/external_document.py:62
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/main.py:195 repo/backend/open_webui/retrieval/loaders/main.py:197
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:52 repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:70
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:216 repo/backend/open_webui/retrieval/loaders/mineru.py:239
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:331 repo/backend/open_webui/retrieval/loaders/mineru.py:341
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:45 repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:61
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/tavily.py:61 repo/backend/open_webui/retrieval/loaders/tavily.py:67
high first-party (python) User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/models/external.py:43 repo/backend/open_webui/retrieval/models/external.py:49
hub Dependency data flows (7)
high mcp dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:433 pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452
high openai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:218 pkgs/python/[email protected]/src/openai/lib/azure.py:255
high openai dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:499 pkgs/python/[email protected]/src/openai/lib/azure.py:536
high transformers dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2466 pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2493
high transformers dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2466 pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2494
high transformers dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/transformers/utils/hub.py:163 pkgs/python/[email protected]/src/transformers/utils/hub.py:163
high google-cloud-storage dependency User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/google/cloud/storage/asyncio/retry/writes_resumption_strategy.py:74 pkgs/python/[email protected]/google/cloud/storage/asyncio/retry/writes_resumption_strategy.py:97

</> First-Party Code

first-party (npm)

python first-party
high pii_flow production #a4fc57d7c4604677 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:188 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:184 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:188
        r = requests.get(f'https://api.openwebui.com/api/v1/custom/{CUSTOM_NAME}')

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e971fbf35024b66c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:196 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:184 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:196
                r = requests.get(url, stream=True)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #36fd7b9044f76bc6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:205 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:184 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:205
                r = requests.get(url, stream=True)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e9990a4da664dabd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:71 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:69 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:71
            response = requests.get(url, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2d3d58bbee4530a0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:112 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:112
                response = requests.post(
                    f'{self.api_base_url}',
                    data=form_data,
                    files=files,
                    headers=headers,
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #33e9e7884e13f046 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:147 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:147
                    poll_response = requests.get(check_url, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #acedd2eb5e98f385 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/external_document.py:62 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/external_document.py:45 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/external_document.py:62
            response = requests.put(f'{url}/process', data=data, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #753e5bbc8f130b78 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/main.py:197 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/main.py:195 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/main.py:197
            r = requests.post(
                f'{self.url}/v1/convert/file',
                files={
                    'files': (
                        self.file_path,
                        f,
                        self.mime_type or 'application/octet-stream',
                    )
                },
                data={
                    'image_export_mode': 'placeholder',
                    'md_page_break_placeholder': page_break_marker,
                    **self.params,
                },
                headers=headers,
                verify=AIOHTTP_CLIENT_SESSION_SSL,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fcd8cc05bd06c9b8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:70 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:52 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:70
            response = requests.post(
                f'{self.api_base_url}/browse',
                json=payload,
                headers=headers,
                timeout=request_timeout,
                verify=self.verify_ssl,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f3d4a22b21b2039c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:239 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:216 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:239
            response = requests.post(
                f'{self.api_url}/file-urls/batch',
                headers=headers,
                json=request_body,
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #56f395db02e65637 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:341 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:331 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:341
                response = requests.get(
                    f'{self.api_url}/extract-results/batch/{batch_id}',
                    headers=headers,
                    timeout=30,
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0e4cec07679880a7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:61 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:45 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:61
            response = requests.post(f'{self.api_url}/layout-parsing', json=payload, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7ca6dde28b3cb175 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/tavily.py:67 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/tavily.py:61 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/tavily.py:67
                response = requests.post(self.api_url, headers=headers, json=payload)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #111582739c3727f9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/models/external.py:49 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/models/external.py:43 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/models/external.py:49
            r = requests.post(
                f'{self.url}',
                headers=headers,
                json=payload,
                timeout=self.timeout,
                verify=REQUESTS_VERIFY,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #b0d359e2fd950e17 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/auth.py:346
            from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7185967f6d68c285 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/auth.py:391
                    from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ac1e0c222c1a09f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/auth.py:465
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #98596a0e1978c867 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/logger.py:123
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c81d1cc5cd49c869 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/constants.py:1
from opentelemetry.semconv._incubating.attributes import (
    db_attributes as _db,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #69fc0d43e8d19a9d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/constants.py:4
from opentelemetry.semconv._incubating.attributes import (
    http_attributes as _http,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bca595af6da85787 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:12
from opentelemetry.instrumentation.aiohttp_client import AioHttpClientInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #655a31d1122a40d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:13
from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #576e40e727ba81d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:14
from opentelemetry.instrumentation.httpx import (
    HTTPXClientInstrumentor,
    RequestInfo,
    ResponseInfo,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9675a3a68ca71716 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:19
from opentelemetry.instrumentation.instrumentor import BaseInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6cdd4d706eaebe4e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:20
from opentelemetry.instrumentation.logging import LoggingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #114614a1a18a574d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:21
from opentelemetry.instrumentation.redis import RedisInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a41262cf50c17c30 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:22
from opentelemetry.instrumentation.requests import RequestsInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9447911c06699dd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:23
from opentelemetry.instrumentation.sqlalchemy import SQLAlchemyInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d09b3776ce124d09 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:24
from opentelemetry.instrumentation.system_metrics import SystemMetricsInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9f7be82d9d66e0c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:25
from opentelemetry.trace import Span, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b9f629b0593ab581 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:12
from opentelemetry._logs import set_logger_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1731c8915514dfc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:13
from opentelemetry.exporter.otlp.proto.grpc._log_exporter import OTLPLogExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b4971abf30c7fdda Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:14
from opentelemetry.exporter.otlp.proto.http._log_exporter import (
    OTLPLogExporter as HttpOTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #65ac96bba2d595b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:17
from opentelemetry.sdk._logs import (
    LoggerProvider,
    LoggingHandler,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efd1ccc1ed78128e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:21
from opentelemetry.sdk._logs.export import BatchLogRecordProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4d84a9e80482a85 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:22
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cb2be3cfb7333947 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:37
from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #260c8f89dfe85bf1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:38
from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import (
    OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e9c804d968abdaec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:41
from opentelemetry.exporter.otlp.proto.http.metric_exporter import (
    OTLPMetricExporter as OTLPHttpMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cdfc5cee81d04e32 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:44
from opentelemetry.sdk.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8fef32d25da6162e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:45
from opentelemetry.sdk.metrics.export import (
    PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #240d97ee3785058f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:48
from opentelemetry.sdk.metrics.view import View

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7f096d3969aa4714 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:49
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7b85ae5efac38004 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:16
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #526c1ef042f79dc4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:17
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7c7cab1295fbd2ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:18
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
    OTLPSpanExporter as HttpOTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec026d8cca3d4629 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:21
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efff5f43f51a40c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:22
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #562569bfdf2f875c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:23
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 904 low-confidence finding(s)
low env_fs production #e257e020d77028f3 Environment-variable access.
repo/backend/open_webui/__init__.py:37
    os.environ['FROM_INIT_PY'] = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31d47a94611b23bc Environment-variable access.
repo/backend/open_webui/__init__.py:38
    if os.getenv('WEBUI_SECRET_KEY') is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87ffe4dd92f31015 Environment-variable access.
repo/backend/open_webui/__init__.py:41
            key_length = int(os.getenv('WEBUI_SECRET_KEY_LENGTH', DEFAULT_SECRET_KEY_LENGTH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8aa99cec4c5b3efa Environment-variable access.
repo/backend/open_webui/__init__.py:47
        os.environ['WEBUI_SECRET_KEY'] = KEY_FILE.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bba8f9a04e1a8b1e Filesystem access.
repo/backend/open_webui/__init__.py:47
        os.environ['WEBUI_SECRET_KEY'] = KEY_FILE.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e688dbec427d6c70 Environment-variable access.
repo/backend/open_webui/__init__.py:49
    if os.getenv('USE_CUDA_DOCKER', 'false') == 'true':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86a3814d7b6203b8 Environment-variable access.
repo/backend/open_webui/__init__.py:51
        LD_LIBRARY_PATH = os.getenv('LD_LIBRARY_PATH', '').split(':')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0e1972363e54ee0 Environment-variable access.
repo/backend/open_webui/__init__.py:52
        os.environ['LD_LIBRARY_PATH'] = ':'.join(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8915f3409dd5be66 Environment-variable access.
repo/backend/open_webui/__init__.py:70
            os.environ['USE_CUDA_DOCKER'] = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd1f2a4a0cb9a477 Environment-variable access.
repo/backend/open_webui/__init__.py:71
            os.environ['LD_LIBRARY_PATH'] = ':'.join(LD_LIBRARY_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e14d1a63a3051f9 Filesystem access.
repo/backend/open_webui/config.py:86
    with open(f'{DATA_DIR}/config.json', 'r') as _f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70ac59531e315538 Environment-variable access.
repo/backend/open_webui/config.py:95
STATIC_DIR = Path(os.getenv('STATIC_DIR', OPEN_WEBUI_DIR / 'static')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c7fd1c9805bd725 Environment-variable access.
repo/backend/open_webui/config.py:144
STORAGE_PROVIDER = os.getenv('STORAGE_PROVIDER', 'local')  # defaults to local, s3

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79db820c84edc11d Environment-variable access.
repo/backend/open_webui/config.py:145
STORAGE_LOCAL_CACHE = os.getenv('STORAGE_LOCAL_CACHE', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8873d7c2590fd93f Environment-variable access.
repo/backend/open_webui/config.py:147
S3_ACCESS_KEY_ID = os.getenv('S3_ACCESS_KEY_ID', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c753d081e3112f2 Environment-variable access.
repo/backend/open_webui/config.py:148
S3_SECRET_ACCESS_KEY = os.getenv('S3_SECRET_ACCESS_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11ff532bfbc53b00 Environment-variable access.
repo/backend/open_webui/config.py:149
S3_REGION_NAME = os.getenv('S3_REGION_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5c1716c64cf47d3 Environment-variable access.
repo/backend/open_webui/config.py:150
S3_BUCKET_NAME = os.getenv('S3_BUCKET_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e0cf6c831224ea6 Environment-variable access.
repo/backend/open_webui/config.py:151
S3_KEY_PREFIX = os.getenv('S3_KEY_PREFIX', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ee078012e938783 Environment-variable access.
repo/backend/open_webui/config.py:152
S3_ENDPOINT_URL = os.getenv('S3_ENDPOINT_URL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ded537e75b56bbd Environment-variable access.
repo/backend/open_webui/config.py:153
S3_USE_ACCELERATE_ENDPOINT = os.getenv('S3_USE_ACCELERATE_ENDPOINT', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2823cd70a884ead Environment-variable access.
repo/backend/open_webui/config.py:154
S3_ADDRESSING_STYLE = os.getenv('S3_ADDRESSING_STYLE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #179c1645912bbb25 Environment-variable access.
repo/backend/open_webui/config.py:155
S3_ENABLE_TAGGING = os.getenv('S3_ENABLE_TAGGING', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9036d0bb5154c0c9 Environment-variable access.
repo/backend/open_webui/config.py:157
GCS_BUCKET_NAME = os.getenv('GCS_BUCKET_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a9bcaf9336acb81 Environment-variable access.
repo/backend/open_webui/config.py:158
GOOGLE_APPLICATION_CREDENTIALS_JSON = os.getenv('GOOGLE_APPLICATION_CREDENTIALS_JSON', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2c18104be15fa52 Environment-variable access.
repo/backend/open_webui/config.py:160
AZURE_STORAGE_ENDPOINT = os.getenv('AZURE_STORAGE_ENDPOINT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2341c09bba04f043 Environment-variable access.
repo/backend/open_webui/config.py:161
AZURE_STORAGE_CONTAINER_NAME = os.getenv('AZURE_STORAGE_CONTAINER_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62dab74f01411995 Environment-variable access.
repo/backend/open_webui/config.py:162
AZURE_STORAGE_KEY = os.getenv('AZURE_STORAGE_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88f9bac2e538ac6f Environment-variable access.
repo/backend/open_webui/config.py:184
CUSTOM_NAME = os.getenv('CUSTOM_NAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac3fe6f883a58bac Filesystem access.
repo/backend/open_webui/config.py:198
                    with open(f'{STATIC_DIR}/favicon.png', 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #570d044aa043d7ab Filesystem access.
repo/backend/open_webui/config.py:207
                    with open(f'{STATIC_DIR}/splash.png', 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #582ee82eed523520 Environment-variable access.
repo/backend/open_webui/config.py:221
ENABLE_DIRECT_CONNECTIONS = os.getenv('ENABLE_DIRECT_CONNECTIONS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #752d51f4f0e2c8e0 Environment-variable access.
repo/backend/open_webui/config.py:227
ENABLE_OLLAMA_API = os.getenv('ENABLE_OLLAMA_API', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bc57d4ae8f8edae Environment-variable access.
repo/backend/open_webui/config.py:229
OLLAMA_API_BASE_URL = os.getenv('OLLAMA_API_BASE_URL', 'http://localhost:11434/api')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cd7faa83b1c3b82 Environment-variable access.
repo/backend/open_webui/config.py:231
OLLAMA_BASE_URL = os.getenv('OLLAMA_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65c4617be7c5bdbd Environment-variable access.
repo/backend/open_webui/config.py:237
K8S_FLAG = os.getenv('K8S_FLAG', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0922d6528b7c732 Environment-variable access.
repo/backend/open_webui/config.py:238
USE_OLLAMA_DOCKER = os.getenv('USE_OLLAMA_DOCKER', 'false')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0bdfc66dc9616e4 Environment-variable access.
repo/backend/open_webui/config.py:282
if os.getenv('OLLAMA_BASE_URL', '') in ('', '/ollama') and not os.getenv('OLLAMA_BASE_URLS', ''):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #624bba92604742c9 Environment-variable access.
repo/backend/open_webui/config.py:286
OLLAMA_BASE_URLS = os.getenv('OLLAMA_BASE_URLS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85a1c2ca2dc104b0 Environment-variable access.
repo/backend/open_webui/config.py:293
_ollama_api_configs = os.getenv('OLLAMA_API_CONFIGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86b831016bc059c7 Environment-variable access.
repo/backend/open_webui/config.py:309
ENABLE_OPENAI_API = os.getenv('ENABLE_OPENAI_API', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46529e32ccd33871 Environment-variable access.
repo/backend/open_webui/config.py:312
OPENAI_API_KEY = os.getenv('OPENAI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8deab5aefaa66adb Environment-variable access.
repo/backend/open_webui/config.py:313
OPENAI_API_BASE_URL = os.getenv('OPENAI_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18e88cfc078bd7bc Environment-variable access.
repo/backend/open_webui/config.py:315
GEMINI_API_KEY = os.getenv('GEMINI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f95d02b7a4b3267 Environment-variable access.
repo/backend/open_webui/config.py:316
GEMINI_API_BASE_URL = os.getenv('GEMINI_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34d459c2ae55534f Environment-variable access.
repo/backend/open_webui/config.py:325
OPENAI_API_KEYS = os.getenv('OPENAI_API_KEYS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b5abf0f847258f0 Environment-variable access.
repo/backend/open_webui/config.py:331
OPENAI_API_BASE_URLS = os.getenv('OPENAI_API_BASE_URLS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #755114463a249694 Environment-variable access.
repo/backend/open_webui/config.py:340
_openai_api_configs = os.getenv('OPENAI_API_CONFIGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #886fd59638a86acf Environment-variable access.
repo/backend/open_webui/config.py:364
ENABLE_BASE_MODELS_CACHE = os.getenv('ENABLE_BASE_MODELS_CACHE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1041fb9422f9350b Environment-variable access.
repo/backend/open_webui/config.py:372
    tool_server_connections = json.loads(os.getenv('TOOL_SERVER_CONNECTIONS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be6c43103110a1be Environment-variable access.
repo/backend/open_webui/config.py:380
OAUTH_CLIENT_TIMEOUT = os.getenv('OAUTH_CLIENT_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80ecf8a98008770b Environment-variable access.
repo/backend/open_webui/config.py:386
terminal_server_connections = json.loads(os.getenv('TERMINAL_SERVER_CONNECTIONS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27367158d9ae02d8 Environment-variable access.
repo/backend/open_webui/config.py:391
    TERMINAL_PROXY_HEADERS = json.loads(os.getenv('TERMINAL_PROXY_HEADERS', '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b7f2639ca087ebd Environment-variable access.
repo/backend/open_webui/config.py:399
ENABLE_CODE_EXECUTION = os.getenv('ENABLE_CODE_EXECUTION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1728de5320708121 Environment-variable access.
repo/backend/open_webui/config.py:401
CODE_EXECUTION_ENGINE = os.getenv('CODE_EXECUTION_ENGINE', 'pyodide')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1007d54b8b05cf9 Environment-variable access.
repo/backend/open_webui/config.py:403
CODE_EXECUTION_JUPYTER_URL = os.getenv('CODE_EXECUTION_JUPYTER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5180cd4494c47129 Environment-variable access.
repo/backend/open_webui/config.py:405
CODE_EXECUTION_JUPYTER_AUTH = os.getenv('CODE_EXECUTION_JUPYTER_AUTH', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c90e668266b7b69 Environment-variable access.
repo/backend/open_webui/config.py:407
CODE_EXECUTION_JUPYTER_AUTH_TOKEN = os.getenv('CODE_EXECUTION_JUPYTER_AUTH_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4414d5094bccd26 Environment-variable access.
repo/backend/open_webui/config.py:410
CODE_EXECUTION_JUPYTER_AUTH_PASSWORD = os.getenv('CODE_EXECUTION_JUPYTER_AUTH_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae6731b84c18a68b Environment-variable access.
repo/backend/open_webui/config.py:412
CODE_EXECUTION_JUPYTER_TIMEOUT = int(os.getenv('CODE_EXECUTION_JUPYTER_TIMEOUT', '60'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #655ed2b1e6f33c17 Environment-variable access.
repo/backend/open_webui/config.py:414
ENABLE_CODE_INTERPRETER = os.getenv('ENABLE_CODE_INTERPRETER', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #388859d3db3e25c8 Environment-variable access.
repo/backend/open_webui/config.py:416
ENABLE_MEMORIES = os.getenv('ENABLE_MEMORIES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0878c77c29a02647 Environment-variable access.
repo/backend/open_webui/config.py:417
ENABLE_MEMORY_SYSTEM_CONTEXT = os.getenv('ENABLE_MEMORY_SYSTEM_CONTEXT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7367148cad587faa Environment-variable access.
repo/backend/open_webui/config.py:418
ENABLE_MEMORY_BACKGROUND_REVIEW = os.getenv('ENABLE_MEMORY_BACKGROUND_REVIEW', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b344952832aee3a3 Environment-variable access.
repo/backend/open_webui/config.py:419
MEMORIES_REVIEW_INTERVAL_TURNS = int(os.getenv('MEMORIES_REVIEW_INTERVAL_TURNS', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1925c9ea93a2788c Environment-variable access.
repo/backend/open_webui/config.py:420
MEMORIES_USER_CHAR_LIMIT = int(os.getenv('MEMORIES_USER_CHAR_LIMIT', '2000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05ee3232c05cd848 Environment-variable access.
repo/backend/open_webui/config.py:421
MEMORIES_CONTEXT_CHAR_LIMIT = int(os.getenv('MEMORIES_CONTEXT_CHAR_LIMIT', '2000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bf6738c79dbd29e Environment-variable access.
repo/backend/open_webui/config.py:423
CODE_INTERPRETER_ENGINE = os.getenv('CODE_INTERPRETER_ENGINE', 'pyodide')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50e2921e13614428 Environment-variable access.
repo/backend/open_webui/config.py:425
CODE_INTERPRETER_PROMPT_TEMPLATE = os.getenv('CODE_INTERPRETER_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c785255ca7d6603 Environment-variable access.
repo/backend/open_webui/config.py:427
CODE_INTERPRETER_JUPYTER_URL = os.getenv('CODE_INTERPRETER_JUPYTER_URL', os.getenv('CODE_EXECUTION_JUPYTER_URL', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9adada2b627a7cf8 Environment-variable access.
repo/backend/open_webui/config.py:429
CODE_INTERPRETER_JUPYTER_AUTH = os.getenv(
    'CODE_INTERPRETER_JUPYTER_AUTH',
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34588a3ae561d1ce Environment-variable access.
repo/backend/open_webui/config.py:431
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #213dd6014c68381d Environment-variable access.
repo/backend/open_webui/config.py:434
CODE_INTERPRETER_JUPYTER_AUTH_TOKEN = os.getenv(
    'CODE_INTERPRETER_JUPYTER_AUTH_TOKEN',
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_TOKEN', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7747d6a215e5c3f2 Environment-variable access.
repo/backend/open_webui/config.py:436
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_TOKEN', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbda875492a66920 Environment-variable access.
repo/backend/open_webui/config.py:440
CODE_INTERPRETER_JUPYTER_AUTH_PASSWORD = os.getenv(
    'CODE_INTERPRETER_JUPYTER_AUTH_PASSWORD',
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_PASSWORD', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #367ca88e1adcd176 Environment-variable access.
repo/backend/open_webui/config.py:442
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_PASSWORD', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a5f27c9f373dc3c Environment-variable access.
repo/backend/open_webui/config.py:446
    os.getenv(
        'CODE_INTERPRETER_JUPYTER_TIMEOUT',
        os.getenv('CODE_EXECUTION_JUPYTER_TIMEOUT', '60'),
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c3249811c3124dc Environment-variable access.
repo/backend/open_webui/config.py:448
        os.getenv('CODE_EXECUTION_JUPYTER_TIMEOUT', '60'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb03e867f412b857 Environment-variable access.
repo/backend/open_webui/config.py:453
    library.strip() for library in os.getenv('CODE_INTERPRETER_BLOCKED_MODULES', '').split(',') if library.strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c18e3febe007d51c Environment-variable access.
repo/backend/open_webui/config.py:493
VECTOR_DB = os.getenv('VECTOR_DB', 'chroma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb6c8e7b2d238501 Environment-variable access.
repo/backend/open_webui/config.py:501
    CHROMA_TENANT = os.getenv('CHROMA_TENANT', chromadb.DEFAULT_TENANT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70f0211bccbe954c Environment-variable access.
repo/backend/open_webui/config.py:502
    CHROMA_DATABASE = os.getenv('CHROMA_DATABASE', chromadb.DEFAULT_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bc01ee126a248ad Environment-variable access.
repo/backend/open_webui/config.py:503
    CHROMA_HTTP_HOST = os.getenv('CHROMA_HTTP_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b2aa3e6d71de6f6 Environment-variable access.
repo/backend/open_webui/config.py:504
    CHROMA_HTTP_PORT = int(os.getenv('CHROMA_HTTP_PORT', '8000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae8c600e2aa228e9 Environment-variable access.
repo/backend/open_webui/config.py:505
    CHROMA_CLIENT_AUTH_PROVIDER = os.getenv('CHROMA_CLIENT_AUTH_PROVIDER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7c4843936f0ee15 Environment-variable access.
repo/backend/open_webui/config.py:506
    CHROMA_CLIENT_AUTH_CREDENTIALS = os.getenv('CHROMA_CLIENT_AUTH_CREDENTIALS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #203995d1dca1cf9f Environment-variable access.
repo/backend/open_webui/config.py:508
    CHROMA_HTTP_HEADERS = os.getenv('CHROMA_HTTP_HEADERS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #268dfbd7ecd7714a Environment-variable access.
repo/backend/open_webui/config.py:513
    CHROMA_HTTP_SSL = os.getenv('CHROMA_HTTP_SSL', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85729ff1911b9a32 Environment-variable access.
repo/backend/open_webui/config.py:518
MARIADB_VECTOR_DB_URL = os.getenv('MARIADB_VECTOR_DB_URL', '').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c087e1f9c1b791c Environment-variable access.
repo/backend/open_webui/config.py:521
    os.getenv('MARIADB_VECTOR_INITIALIZE_MAX_VECTOR_LENGTH', '1536').strip() or '1536'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5e5f14a23c42b02 Environment-variable access.
repo/backend/open_webui/config.py:527
MARIADB_VECTOR_DISTANCE_STRATEGY = os.getenv('MARIADB_VECTOR_DISTANCE_STRATEGY', 'cosine').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #789ba4c6d9152652 Environment-variable access.
repo/backend/open_webui/config.py:530
MARIADB_VECTOR_INDEX_M = int(os.getenv('MARIADB_VECTOR_INDEX_M', '8').strip() or '8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #847c4f1e42d0e9cb Environment-variable access.
repo/backend/open_webui/config.py:533
MARIADB_VECTOR_POOL_SIZE = os.getenv('MARIADB_VECTOR_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19920aea984436ee Environment-variable access.
repo/backend/open_webui/config.py:541
MARIADB_VECTOR_POOL_MAX_OVERFLOW = os.getenv('MARIADB_VECTOR_POOL_MAX_OVERFLOW', 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6273b53feac5ae64 Environment-variable access.
repo/backend/open_webui/config.py:551
MARIADB_VECTOR_POOL_TIMEOUT = os.getenv('MARIADB_VECTOR_POOL_TIMEOUT', 30)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9688d9dc45f2436 Environment-variable access.
repo/backend/open_webui/config.py:561
MARIADB_VECTOR_POOL_RECYCLE = os.getenv('MARIADB_VECTOR_POOL_RECYCLE', 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ef6adf0f2919a30 Environment-variable access.
repo/backend/open_webui/config.py:587
MILVUS_URI = os.getenv('MILVUS_URI', f'{DATA_DIR}/vector_db/milvus.db')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed8bd3d7f6baa06f Environment-variable access.
repo/backend/open_webui/config.py:588
MILVUS_DB = os.getenv('MILVUS_DB', 'default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7b53e4c30773425 Environment-variable access.
repo/backend/open_webui/config.py:589
MILVUS_TOKEN = os.getenv('MILVUS_TOKEN', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88b09612f5c7c94f Environment-variable access.
repo/backend/open_webui/config.py:590
MILVUS_INDEX_TYPE = os.getenv('MILVUS_INDEX_TYPE', 'HNSW')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d05cde9bcb18a2df Environment-variable access.
repo/backend/open_webui/config.py:591
MILVUS_METRIC_TYPE = os.getenv('MILVUS_METRIC_TYPE', 'COSINE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c841c8273c425c6 Environment-variable access.
repo/backend/open_webui/config.py:592
MILVUS_HNSW_M = int(os.getenv('MILVUS_HNSW_M', '16'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7fe9c9f15af6cc0 Environment-variable access.
repo/backend/open_webui/config.py:593
MILVUS_HNSW_EFCONSTRUCTION = int(os.getenv('MILVUS_HNSW_EFCONSTRUCTION', '100'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d62f8ed334620614 Environment-variable access.
repo/backend/open_webui/config.py:594
MILVUS_IVF_FLAT_NLIST = int(os.getenv('MILVUS_IVF_FLAT_NLIST', '128'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8843eddd04d657cb Environment-variable access.
repo/backend/open_webui/config.py:595
MILVUS_DISKANN_MAX_DEGREE = int(os.getenv('MILVUS_DISKANN_MAX_DEGREE', '56'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a790f201e3d92f8 Environment-variable access.
repo/backend/open_webui/config.py:596
MILVUS_DISKANN_SEARCH_LIST_SIZE = int(os.getenv('MILVUS_DISKANN_SEARCH_LIST_SIZE', '100'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a0d9334a9c26dc7 Environment-variable access.
repo/backend/open_webui/config.py:597
ENABLE_MILVUS_MULTITENANCY_MODE = os.getenv('ENABLE_MILVUS_MULTITENANCY_MODE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51703947164ba7c7 Environment-variable access.
repo/backend/open_webui/config.py:599
MILVUS_COLLECTION_PREFIX = os.getenv('MILVUS_COLLECTION_PREFIX', 'open_webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #476f5b7fda9b6622 Environment-variable access.
repo/backend/open_webui/config.py:602
QDRANT_URI = os.getenv('QDRANT_URI', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba97bd77f47483d8 Environment-variable access.
repo/backend/open_webui/config.py:603
QDRANT_API_KEY = os.getenv('QDRANT_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #905cdfc0406913a8 Environment-variable access.
repo/backend/open_webui/config.py:604
QDRANT_ON_DISK = os.getenv('QDRANT_ON_DISK', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #777c6600c518b076 Environment-variable access.
repo/backend/open_webui/config.py:605
QDRANT_PREFER_GRPC = os.getenv('QDRANT_PREFER_GRPC', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4345bdb3596eb033 Environment-variable access.
repo/backend/open_webui/config.py:606
QDRANT_GRPC_PORT = int(os.getenv('QDRANT_GRPC_PORT', '6334'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93b35f921442c501 Environment-variable access.
repo/backend/open_webui/config.py:607
QDRANT_TIMEOUT = int(os.getenv('QDRANT_TIMEOUT', '5'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df54734021aea60e Environment-variable access.
repo/backend/open_webui/config.py:608
QDRANT_HNSW_M = int(os.getenv('QDRANT_HNSW_M', '16'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #972b1a62d6654a47 Environment-variable access.
repo/backend/open_webui/config.py:609
ENABLE_QDRANT_MULTITENANCY_MODE = os.getenv('ENABLE_QDRANT_MULTITENANCY_MODE', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7868c26067e0446 Environment-variable access.
repo/backend/open_webui/config.py:610
QDRANT_COLLECTION_PREFIX = os.getenv('QDRANT_COLLECTION_PREFIX', 'open-webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caf2159c6aa9a905 Environment-variable access.
repo/backend/open_webui/config.py:612
WEAVIATE_HTTP_HOST = os.getenv('WEAVIATE_HTTP_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3e4559714fb1710 Environment-variable access.
repo/backend/open_webui/config.py:613
WEAVIATE_GRPC_HOST = os.getenv('WEAVIATE_GRPC_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e940827cd79ffaa3 Environment-variable access.
repo/backend/open_webui/config.py:614
WEAVIATE_HTTP_PORT = int(os.getenv('WEAVIATE_HTTP_PORT', '8080'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #650be4d2a2bc2b2d Environment-variable access.
repo/backend/open_webui/config.py:615
WEAVIATE_GRPC_PORT = int(os.getenv('WEAVIATE_GRPC_PORT', '50051'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cc9aa85a99f3c6d Environment-variable access.
repo/backend/open_webui/config.py:616
WEAVIATE_API_KEY = os.getenv('WEAVIATE_API_KEY')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40399942cb8f9c94 Environment-variable access.
repo/backend/open_webui/config.py:617
WEAVIATE_HTTP_SECURE = os.getenv('WEAVIATE_HTTP_SECURE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be5873f3cc43289 Environment-variable access.
repo/backend/open_webui/config.py:618
WEAVIATE_GRPC_SECURE = os.getenv('WEAVIATE_GRPC_SECURE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #daf4349aec15408b Environment-variable access.
repo/backend/open_webui/config.py:619
WEAVIATE_SKIP_INIT_CHECKS = os.getenv('WEAVIATE_SKIP_INIT_CHECKS', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #155d9ff37e7f13ec Environment-variable access.
repo/backend/open_webui/config.py:622
OPENSEARCH_URI = os.getenv('OPENSEARCH_URI', 'https://localhost:9200')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d34185a3853987e5 Environment-variable access.
repo/backend/open_webui/config.py:623
OPENSEARCH_SSL = os.getenv('OPENSEARCH_SSL', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9986bc0228ebedf Environment-variable access.
repo/backend/open_webui/config.py:624
OPENSEARCH_CERT_VERIFY = os.getenv('OPENSEARCH_CERT_VERIFY', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ca79cdcaf2896fb Environment-variable access.
repo/backend/open_webui/config.py:625
OPENSEARCH_USERNAME = os.getenv('OPENSEARCH_USERNAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7cbcc10c87007d5 Environment-variable access.
repo/backend/open_webui/config.py:626
OPENSEARCH_PASSWORD = os.getenv('OPENSEARCH_PASSWORD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2aa5d46cf0219011 Environment-variable access.
repo/backend/open_webui/config.py:629
ELASTICSEARCH_URL = os.getenv('ELASTICSEARCH_URL', 'https://localhost:9200')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63688483fa3caab6 Environment-variable access.
repo/backend/open_webui/config.py:630
ELASTICSEARCH_CA_CERTS = os.getenv('ELASTICSEARCH_CA_CERTS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bfbb86505bb1165 Environment-variable access.
repo/backend/open_webui/config.py:631
ELASTICSEARCH_API_KEY = os.getenv('ELASTICSEARCH_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73af8db101ba30bb Environment-variable access.
repo/backend/open_webui/config.py:632
ELASTICSEARCH_USERNAME = os.getenv('ELASTICSEARCH_USERNAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #423898136c31f5ea Environment-variable access.
repo/backend/open_webui/config.py:633
ELASTICSEARCH_PASSWORD = os.getenv('ELASTICSEARCH_PASSWORD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e2a84622ecd9d08 Environment-variable access.
repo/backend/open_webui/config.py:634
ELASTICSEARCH_CLOUD_ID = os.getenv('ELASTICSEARCH_CLOUD_ID', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #053d79e2af1ebbd7 Environment-variable access.
repo/backend/open_webui/config.py:635
SSL_ASSERT_FINGERPRINT = os.getenv('SSL_ASSERT_FINGERPRINT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36e5bdf5c9a37ee6 Environment-variable access.
repo/backend/open_webui/config.py:636
ELASTICSEARCH_INDEX_PREFIX = os.getenv('ELASTICSEARCH_INDEX_PREFIX', 'open_webui_collections')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3139af5be03b4a0f Environment-variable access.
repo/backend/open_webui/config.py:638
PGVECTOR_DB_URL = os.getenv('PGVECTOR_DB_URL', DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c419fb05d04fbae Environment-variable access.
repo/backend/open_webui/config.py:643
PGVECTOR_INITIALIZE_MAX_VECTOR_LENGTH = int(os.getenv('PGVECTOR_INITIALIZE_MAX_VECTOR_LENGTH', '1536'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c8fd91f633debca Environment-variable access.
repo/backend/open_webui/config.py:645
PGVECTOR_USE_HALFVEC = os.getenv('PGVECTOR_USE_HALFVEC', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52fe810b67b61bdd Environment-variable access.
repo/backend/open_webui/config.py:655
PGVECTOR_CREATE_EXTENSION = os.getenv('PGVECTOR_CREATE_EXTENSION', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #095b16cfe4474b45 Environment-variable access.
repo/backend/open_webui/config.py:656
PGVECTOR_PGCRYPTO = os.getenv('PGVECTOR_PGCRYPTO', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87e6c01198adfbbe Environment-variable access.
repo/backend/open_webui/config.py:657
PGVECTOR_PGCRYPTO_KEY = os.getenv('PGVECTOR_PGCRYPTO_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f52753caa7fa7267 Environment-variable access.
repo/backend/open_webui/config.py:662
PGVECTOR_POOL_SIZE = os.getenv('PGVECTOR_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd7c6c153ece14c6 Environment-variable access.
repo/backend/open_webui/config.py:670
PGVECTOR_POOL_MAX_OVERFLOW = os.getenv('PGVECTOR_POOL_MAX_OVERFLOW', 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #849ea58000bf21df Environment-variable access.
repo/backend/open_webui/config.py:680
PGVECTOR_POOL_TIMEOUT = os.getenv('PGVECTOR_POOL_TIMEOUT', 30)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed96252867228a00 Environment-variable access.
repo/backend/open_webui/config.py:690
PGVECTOR_POOL_RECYCLE = os.getenv('PGVECTOR_POOL_RECYCLE', 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2de800381eec4c9 Environment-variable access.
repo/backend/open_webui/config.py:700
PGVECTOR_INDEX_METHOD = os.getenv('PGVECTOR_INDEX_METHOD', '').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53ff7d4bb053b8aa Environment-variable access.
repo/backend/open_webui/config.py:704
PGVECTOR_HNSW_M = os.getenv('PGVECTOR_HNSW_M', 16)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53df556e7a961bc4 Environment-variable access.
repo/backend/open_webui/config.py:714
PGVECTOR_HNSW_EF_CONSTRUCTION = os.getenv('PGVECTOR_HNSW_EF_CONSTRUCTION', 64)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f9cb581696435d6 Environment-variable access.
repo/backend/open_webui/config.py:724
PGVECTOR_IVFFLAT_LISTS = os.getenv('PGVECTOR_IVFFLAT_LISTS', 100)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e19dec8791ce3e3 Environment-variable access.
repo/backend/open_webui/config.py:735
OPENGAUSS_DB_URL = os.getenv('OPENGAUSS_DB_URL', DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c44e283e9b2326bc Environment-variable access.
repo/backend/open_webui/config.py:737
OPENGAUSS_INITIALIZE_MAX_VECTOR_LENGTH = int(os.getenv('OPENGAUSS_INITIALIZE_MAX_VECTOR_LENGTH', '1536'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #518b3c3d83459912 Environment-variable access.
repo/backend/open_webui/config.py:739
OPENGAUSS_POOL_SIZE = os.getenv('OPENGAUSS_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bed1e89adac2577 Environment-variable access.
repo/backend/open_webui/config.py:747
OPENGAUSS_POOL_MAX_OVERFLOW = os.getenv('OPENGAUSS_POOL_MAX_OVERFLOW', 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #89af30c0fe28768a Environment-variable access.
repo/backend/open_webui/config.py:757
OPENGAUSS_POOL_TIMEOUT = os.getenv('OPENGAUSS_POOL_TIMEOUT', 30)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1ead6580c045556 Environment-variable access.
repo/backend/open_webui/config.py:767
OPENGAUSS_POOL_RECYCLE = os.getenv('OPENGAUSS_POOL_RECYCLE', 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bcb9579579a42de Environment-variable access.
repo/backend/open_webui/config.py:778
PINECONE_API_KEY = os.getenv('PINECONE_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3837ac5be116a50e Environment-variable access.
repo/backend/open_webui/config.py:779
PINECONE_ENVIRONMENT = os.getenv('PINECONE_ENVIRONMENT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f699027da9032eb Environment-variable access.
repo/backend/open_webui/config.py:780
PINECONE_INDEX_NAME = os.getenv('PINECONE_INDEX_NAME', 'open-webui-index')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #197000cf7c454dfe Environment-variable access.
repo/backend/open_webui/config.py:781
PINECONE_DIMENSION = int(os.getenv('PINECONE_DIMENSION', 1536))  # or 3072, 1024, 768

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54616034cd11446c Environment-variable access.
repo/backend/open_webui/config.py:782
PINECONE_METRIC = os.getenv('PINECONE_METRIC', 'cosine')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eea37089953696f2 Environment-variable access.
repo/backend/open_webui/config.py:783
PINECONE_CLOUD = os.getenv('PINECONE_CLOUD', 'aws')  # or "gcp" or "azure"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2315f1da06cc9618 Environment-variable access.
repo/backend/open_webui/config.py:787
ORACLE_DB_USE_WALLET = os.getenv('ORACLE_DB_USE_WALLET', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6910436f1e77ab15 Environment-variable access.
repo/backend/open_webui/config.py:788
ORACLE_DB_USER = os.getenv('ORACLE_DB_USER', None)  #

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6440a21791168518 Environment-variable access.
repo/backend/open_webui/config.py:789
ORACLE_DB_PASSWORD = os.getenv('ORACLE_DB_PASSWORD', None)  #

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #745f4f7ee9bf3780 Environment-variable access.
repo/backend/open_webui/config.py:790
ORACLE_DB_DSN = os.getenv('ORACLE_DB_DSN', None)  #

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3a9675880cfffb5 Environment-variable access.
repo/backend/open_webui/config.py:791
ORACLE_WALLET_DIR = os.getenv('ORACLE_WALLET_DIR', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4bc98c1e29986bd Environment-variable access.
repo/backend/open_webui/config.py:792
ORACLE_WALLET_PASSWORD = os.getenv('ORACLE_WALLET_PASSWORD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7c8729fa8a14a0e Environment-variable access.
repo/backend/open_webui/config.py:793
ORACLE_VECTOR_LENGTH = os.getenv('ORACLE_VECTOR_LENGTH', 768)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0685268d1801bbd9 Environment-variable access.
repo/backend/open_webui/config.py:795
ORACLE_DB_POOL_MIN = int(os.getenv('ORACLE_DB_POOL_MIN', 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2225151da1bd1b0c Environment-variable access.
repo/backend/open_webui/config.py:796
ORACLE_DB_POOL_MAX = int(os.getenv('ORACLE_DB_POOL_MAX', 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0383e9d641848a7 Environment-variable access.
repo/backend/open_webui/config.py:797
ORACLE_DB_POOL_INCREMENT = int(os.getenv('ORACLE_DB_POOL_INCREMENT', 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #571470f8d3b5c70d Environment-variable access.
repo/backend/open_webui/config.py:811
S3_VECTOR_BUCKET_NAME = os.getenv('S3_VECTOR_BUCKET_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8537769f3382e64b Environment-variable access.
repo/backend/open_webui/config.py:812
S3_VECTOR_REGION = os.getenv('S3_VECTOR_REGION', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0faba56998e50c06 Environment-variable access.
repo/backend/open_webui/config.py:815
VALKEY_URL = os.getenv('VALKEY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e56eb3d16e871f16 Environment-variable access.
repo/backend/open_webui/config.py:816
VALKEY_COLLECTION_PREFIX = os.getenv('VALKEY_COLLECTION_PREFIX', 'open_webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e48b64dd668aaaa2 Environment-variable access.
repo/backend/open_webui/config.py:817
VALKEY_INDEX_TYPE = os.getenv('VALKEY_INDEX_TYPE', 'HNSW').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc4915dc0e962378 Environment-variable access.
repo/backend/open_webui/config.py:818
VALKEY_DISTANCE_METRIC = os.getenv('VALKEY_DISTANCE_METRIC', 'COSINE').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d72fe934c4abadc1 Environment-variable access.
repo/backend/open_webui/config.py:819
VALKEY_HNSW_M = int(os.getenv('VALKEY_HNSW_M', '16'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77631f4b5cfce93e Environment-variable access.
repo/backend/open_webui/config.py:820
VALKEY_HNSW_EF_CONSTRUCTION = int(os.getenv('VALKEY_HNSW_EF_CONSTRUCTION', '200'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e2de86d3391c431 Environment-variable access.
repo/backend/open_webui/config.py:821
VALKEY_HNSW_EF_RUNTIME = int(os.getenv('VALKEY_HNSW_EF_RUNTIME', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63a6d5d72771ca11 Environment-variable access.
repo/backend/open_webui/config.py:829
ENABLE_GOOGLE_DRIVE_INTEGRATION = os.getenv('ENABLE_GOOGLE_DRIVE_INTEGRATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38ac4734c1e2bffe Environment-variable access.
repo/backend/open_webui/config.py:831
GOOGLE_DRIVE_CLIENT_ID = os.getenv('GOOGLE_DRIVE_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #441a7252821d2e51 Environment-variable access.
repo/backend/open_webui/config.py:833
GOOGLE_DRIVE_API_KEY = os.getenv('GOOGLE_DRIVE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a24faa47f4313b4 Environment-variable access.
repo/backend/open_webui/config.py:835
ENABLE_ONEDRIVE_INTEGRATION = os.getenv('ENABLE_ONEDRIVE_INTEGRATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d14a8c91ed74a79 Environment-variable access.
repo/backend/open_webui/config.py:838
ONEDRIVE_CLIENT_ID = os.getenv('ONEDRIVE_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fcc8706ec401b7ab Environment-variable access.
repo/backend/open_webui/config.py:839
ONEDRIVE_CLIENT_ID_PERSONAL = os.getenv('ONEDRIVE_CLIENT_ID_PERSONAL', ONEDRIVE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f889fe566fda0e86 Environment-variable access.
repo/backend/open_webui/config.py:840
ONEDRIVE_CLIENT_ID_BUSINESS = os.getenv('ONEDRIVE_CLIENT_ID_BUSINESS', ONEDRIVE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6ea84550af272d8 Environment-variable access.
repo/backend/open_webui/config.py:842
ENABLE_ONEDRIVE_PERSONAL = os.getenv('ENABLE_ONEDRIVE_PERSONAL', 'True').lower() == 'true' and bool(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05753e46e21cd0de Environment-variable access.
repo/backend/open_webui/config.py:845
ENABLE_ONEDRIVE_BUSINESS = os.getenv('ENABLE_ONEDRIVE_BUSINESS', 'True').lower() == 'true' and bool(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f39f3941b7015e6 Environment-variable access.
repo/backend/open_webui/config.py:849
ONEDRIVE_SHAREPOINT_URL = os.getenv('ONEDRIVE_SHAREPOINT_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c126c3f424368c2 Environment-variable access.
repo/backend/open_webui/config.py:851
ONEDRIVE_SHAREPOINT_TENANT_ID = os.getenv('ONEDRIVE_SHAREPOINT_TENANT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f836d17af8a9d39b Environment-variable access.
repo/backend/open_webui/config.py:854
CONTENT_EXTRACTION_ENGINE = os.getenv('CONTENT_EXTRACTION_ENGINE', '').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11aa6a8107f06dad Environment-variable access.
repo/backend/open_webui/config.py:856
DATALAB_MARKER_API_KEY = os.getenv('DATALAB_MARKER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c06791070de9d30b Environment-variable access.
repo/backend/open_webui/config.py:858
DATALAB_MARKER_API_BASE_URL = os.getenv('DATALAB_MARKER_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a07a60ef93cd4106 Environment-variable access.
repo/backend/open_webui/config.py:860
DATALAB_MARKER_ADDITIONAL_CONFIG = os.getenv('DATALAB_MARKER_ADDITIONAL_CONFIG', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73cb764653d1b364 Environment-variable access.
repo/backend/open_webui/config.py:862
DATALAB_MARKER_USE_LLM = os.getenv('DATALAB_MARKER_USE_LLM', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a73b54244e9870a7 Environment-variable access.
repo/backend/open_webui/config.py:864
DATALAB_MARKER_SKIP_CACHE = os.getenv('DATALAB_MARKER_SKIP_CACHE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8cf243e8346ca75 Environment-variable access.
repo/backend/open_webui/config.py:866
DATALAB_MARKER_FORCE_OCR = os.getenv('DATALAB_MARKER_FORCE_OCR', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90d609ee9565585e Environment-variable access.
repo/backend/open_webui/config.py:868
DATALAB_MARKER_PAGINATE = os.getenv('DATALAB_MARKER_PAGINATE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #823579cbb9565d6d Environment-variable access.
repo/backend/open_webui/config.py:870
DATALAB_MARKER_STRIP_EXISTING_OCR = os.getenv('DATALAB_MARKER_STRIP_EXISTING_OCR', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fd9db15a7055939 Environment-variable access.
repo/backend/open_webui/config.py:873
    os.getenv('DATALAB_MARKER_DISABLE_IMAGE_EXTRACTION', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c07e9403bc5516b2 Environment-variable access.
repo/backend/open_webui/config.py:876
DATALAB_MARKER_FORMAT_LINES = os.getenv('DATALAB_MARKER_FORMAT_LINES', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e68eb598d38e662 Environment-variable access.
repo/backend/open_webui/config.py:878
DATALAB_MARKER_OUTPUT_FORMAT = os.getenv('DATALAB_MARKER_OUTPUT_FORMAT', 'markdown')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7912ef1423dab7aa Environment-variable access.
repo/backend/open_webui/config.py:880
MINERU_API_MODE = os.getenv('MINERU_API_MODE', 'local')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1a8c3b3fb5fbfdd Environment-variable access.
repo/backend/open_webui/config.py:882
MINERU_API_URL = os.getenv('MINERU_API_URL', 'http://localhost:8000')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ba7fe18904efd6f Environment-variable access.
repo/backend/open_webui/config.py:884
MINERU_API_TIMEOUT = os.getenv('MINERU_API_TIMEOUT', '300')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43893f70b062f59a Environment-variable access.
repo/backend/open_webui/config.py:886
MINERU_API_KEY = os.getenv('MINERU_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #859a80bb743c88b3 Environment-variable access.
repo/backend/open_webui/config.py:888
mineru_params = os.getenv('MINERU_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e32afe1a21e47e7 Environment-variable access.
repo/backend/open_webui/config.py:896
MINERU_FILE_EXTENSIONS = [ext.strip() for ext in os.getenv('MINERU_FILE_EXTENSIONS', 'pdf').split(',') if ext.strip()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcae9b426f88f0f2 Environment-variable access.
repo/backend/open_webui/config.py:898
EXTERNAL_DOCUMENT_LOADER_URL = os.getenv('EXTERNAL_DOCUMENT_LOADER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf524d1f1be29853 Environment-variable access.
repo/backend/open_webui/config.py:900
EXTERNAL_DOCUMENT_LOADER_API_KEY = os.getenv('EXTERNAL_DOCUMENT_LOADER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7584199f34b70230 Environment-variable access.
repo/backend/open_webui/config.py:902
external_document_loader_headers = os.getenv('EXTERNAL_DOCUMENT_LOADER_HEADERS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #987e7c4ce989fd74 Environment-variable access.
repo/backend/open_webui/config.py:912
TIKA_SERVER_URL = os.getenv('TIKA_SERVER_URL', 'http://tika:9998')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34fb72aa9e8c4eb4 Environment-variable access.
repo/backend/open_webui/config.py:914
DOCLING_SERVER_URL = os.getenv('DOCLING_SERVER_URL', 'http://docling:5001')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e11b0603cabced0 Environment-variable access.
repo/backend/open_webui/config.py:916
DOCLING_API_KEY = os.getenv('DOCLING_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c182e4e1c5f143b Environment-variable access.
repo/backend/open_webui/config.py:918
docling_params = os.getenv('DOCLING_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbf308225f452ad2 Environment-variable access.
repo/backend/open_webui/config.py:926
DOCUMENT_INTELLIGENCE_ENDPOINT = os.getenv('DOCUMENT_INTELLIGENCE_ENDPOINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #852f984df4fbe2a1 Environment-variable access.
repo/backend/open_webui/config.py:928
DOCUMENT_INTELLIGENCE_KEY = os.getenv('DOCUMENT_INTELLIGENCE_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b16f5172039c511 Environment-variable access.
repo/backend/open_webui/config.py:930
DOCUMENT_INTELLIGENCE_MODEL = os.getenv('DOCUMENT_INTELLIGENCE_MODEL', 'prebuilt-layout')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4ad60e9eac64e17 Environment-variable access.
repo/backend/open_webui/config.py:932
MISTRAL_OCR_API_BASE_URL = os.getenv('MISTRAL_OCR_API_BASE_URL', 'https://api.mistral.ai/v1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1f3ce776a200284 Environment-variable access.
repo/backend/open_webui/config.py:934
MISTRAL_OCR_API_KEY = os.getenv('MISTRAL_OCR_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fe6c31b7758dd0e Environment-variable access.
repo/backend/open_webui/config.py:936
MISTRAL_OCR_USE_BASE64 = os.getenv('MISTRAL_OCR_USE_BASE64', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b20712f5ec1493c Environment-variable access.
repo/backend/open_webui/config.py:938
PADDLEOCR_VL_BASE_URL = os.getenv('PADDLEOCR_VL_BASE_URL', 'http://localhost:8080')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f05c4cf5b91eee63 Environment-variable access.
repo/backend/open_webui/config.py:940
PADDLEOCR_VL_TOKEN = os.getenv('PADDLEOCR_VL_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e69e761e697e24d6 Environment-variable access.
repo/backend/open_webui/config.py:942
BYPASS_EMBEDDING_AND_RETRIEVAL = os.getenv('BYPASS_EMBEDDING_AND_RETRIEVAL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbf8d026338fa440 Environment-variable access.
repo/backend/open_webui/config.py:945
RAG_TOP_K = int(os.getenv('RAG_TOP_K', '3'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ffc3b0c9a23fee5 Environment-variable access.
repo/backend/open_webui/config.py:946
RAG_TOP_K_RERANKER = int(os.getenv('RAG_TOP_K_RERANKER', '3'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b9d980575f4ca01 Environment-variable access.
repo/backend/open_webui/config.py:947
RAG_RELEVANCE_THRESHOLD = float(os.getenv('RAG_RELEVANCE_THRESHOLD', '0.0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6d68ab18852cdfd Environment-variable access.
repo/backend/open_webui/config.py:948
RAG_HYBRID_BM25_WEIGHT = float(os.getenv('RAG_HYBRID_BM25_WEIGHT', '0.5'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8b4ec7f616d31a9 Environment-variable access.
repo/backend/open_webui/config.py:950
ENABLE_RAG_HYBRID_SEARCH = os.getenv('ENABLE_RAG_HYBRID_SEARCH', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f04b5d900b62bf7 Environment-variable access.
repo/backend/open_webui/config.py:953
    os.getenv('ENABLE_RAG_HYBRID_SEARCH_ENRICHED_TEXTS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88bedebf0a21c825 Environment-variable access.
repo/backend/open_webui/config.py:956
RAG_FULL_CONTEXT = os.getenv('RAG_FULL_CONTEXT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac794efd1ea0955d Environment-variable access.
repo/backend/open_webui/config.py:958
RAG_FILE_MAX_COUNT = int(os.getenv('RAG_FILE_MAX_COUNT')) if os.getenv('RAG_FILE_MAX_COUNT') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6af67377566cf528 Environment-variable access.
repo/backend/open_webui/config.py:960
RAG_FILE_MAX_SIZE = int(os.getenv('RAG_FILE_MAX_SIZE')) if os.getenv('RAG_FILE_MAX_SIZE') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8103caac841df9ad Environment-variable access.
repo/backend/open_webui/config.py:962
RAG_FILE_CONTENT_SEARCH_MAX_CHARS = int(os.getenv('RAG_FILE_CONTENT_SEARCH_MAX_CHARS', str(64 * 1024 * 1024)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85127c86d47fd8c7 Environment-variable access.
repo/backend/open_webui/config.py:965
    int(os.getenv('FILE_IMAGE_COMPRESSION_WIDTH')) if os.getenv('FILE_IMAGE_COMPRESSION_WIDTH') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #874e55025602d86b Environment-variable access.
repo/backend/open_webui/config.py:969
    int(os.getenv('FILE_IMAGE_COMPRESSION_HEIGHT')) if os.getenv('FILE_IMAGE_COMPRESSION_HEIGHT') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #705f071682af1b03 Environment-variable access.
repo/backend/open_webui/config.py:974
    ext.strip() for ext in os.getenv('RAG_ALLOWED_FILE_EXTENSIONS', '').split(',') if ext.strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1919234e2d9f4841 Environment-variable access.
repo/backend/open_webui/config.py:977
RAG_EMBEDDING_ENGINE = os.getenv('RAG_EMBEDDING_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98d77aefc09c3caf Environment-variable access.
repo/backend/open_webui/config.py:979
PDF_EXTRACT_IMAGES = os.getenv('PDF_EXTRACT_IMAGES', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba5f4aacd99cbf7c Environment-variable access.
repo/backend/open_webui/config.py:981
PDF_LOADER_MODE = os.getenv('PDF_LOADER_MODE', 'page')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e01150575067349 Environment-variable access.
repo/backend/open_webui/config.py:983
RAG_EMBEDDING_MODEL = os.getenv('RAG_EMBEDDING_MODEL', 'sentence-transformers/all-MiniLM-L6-v2')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4befb559606f212a Environment-variable access.
repo/backend/open_webui/config.py:986
RAG_TOKENIZER_MODEL = os.getenv('RAG_TOKENIZER_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83a84f2eaac77006 Environment-variable access.
repo/backend/open_webui/config.py:989
    not OFFLINE_MODE and os.getenv('RAG_EMBEDDING_MODEL_AUTO_UPDATE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b79e52ff6b4f1b67 Environment-variable access.
repo/backend/open_webui/config.py:992
RAG_EMBEDDING_MODEL_TRUST_REMOTE_CODE = os.getenv('RAG_EMBEDDING_MODEL_TRUST_REMOTE_CODE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #270f537083cbfda6 Environment-variable access.
repo/backend/open_webui/config.py:995
    os.getenv('RAG_EMBEDDING_BATCH_SIZE') or os.getenv('RAG_EMBEDDING_OPENAI_BATCH_SIZE', '1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aacecfd784c135a3 Environment-variable access.
repo/backend/open_webui/config.py:998
ENABLE_ASYNC_EMBEDDING = os.getenv('ENABLE_ASYNC_EMBEDDING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86f30335a903a16f Environment-variable access.
repo/backend/open_webui/config.py:1000
RAG_EMBEDDING_CONCURRENT_REQUESTS = int(os.getenv('RAG_EMBEDDING_CONCURRENT_REQUESTS', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ff05e8351785b33 Environment-variable access.
repo/backend/open_webui/config.py:1002
RAG_EMBEDDING_QUERY_PREFIX = os.getenv('RAG_EMBEDDING_QUERY_PREFIX', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58fc9308ebfa2593 Environment-variable access.
repo/backend/open_webui/config.py:1004
RAG_EMBEDDING_CONTENT_PREFIX = os.getenv('RAG_EMBEDDING_CONTENT_PREFIX', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #537cf191a63940a9 Environment-variable access.
repo/backend/open_webui/config.py:1006
RAG_EMBEDDING_PREFIX_FIELD_NAME = os.getenv('RAG_EMBEDDING_PREFIX_FIELD_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e5ae714152dd514 Environment-variable access.
repo/backend/open_webui/config.py:1008
RAG_RERANKING_ENGINE = os.getenv('RAG_RERANKING_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f062d99337c93347 Environment-variable access.
repo/backend/open_webui/config.py:1010
RAG_RERANKING_MODEL = os.getenv('RAG_RERANKING_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #daf1ff2bb06ef706 Environment-variable access.
repo/backend/open_webui/config.py:1016
    not OFFLINE_MODE and os.getenv('RAG_RERANKING_MODEL_AUTO_UPDATE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60cbaf9491465ae3 Environment-variable access.
repo/backend/open_webui/config.py:1019
RAG_RERANKING_MODEL_TRUST_REMOTE_CODE = os.getenv('RAG_RERANKING_MODEL_TRUST_REMOTE_CODE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10316560ec65bc30 Environment-variable access.
repo/backend/open_webui/config.py:1021
RAG_RERANKING_BATCH_SIZE = int(os.getenv('RAG_RERANKING_BATCH_SIZE', '32'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ef9e91792400dfc Environment-variable access.
repo/backend/open_webui/config.py:1023
RAG_EXTERNAL_RERANKER_URL = os.getenv('RAG_EXTERNAL_RERANKER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bad21edff63a427 Environment-variable access.
repo/backend/open_webui/config.py:1025
RAG_EXTERNAL_RERANKER_API_KEY = os.getenv('RAG_EXTERNAL_RERANKER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61422aeaf3858951 Environment-variable access.
repo/backend/open_webui/config.py:1027
RAG_EXTERNAL_RERANKER_TIMEOUT = os.getenv('RAG_EXTERNAL_RERANKER_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2251d0e43d130d38 Environment-variable access.
repo/backend/open_webui/config.py:1030
RAG_TEXT_SPLITTER = os.getenv('RAG_TEXT_SPLITTER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df6d4955bce7a24a Environment-variable access.
repo/backend/open_webui/config.py:1032
ENABLE_MARKDOWN_HEADER_TEXT_SPLITTER = os.getenv('ENABLE_MARKDOWN_HEADER_TEXT_SPLITTER', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #626b0c1ed0edb63d Environment-variable access.
repo/backend/open_webui/config.py:1035
TIKTOKEN_CACHE_DIR = os.getenv('TIKTOKEN_CACHE_DIR', f'{CACHE_DIR}/tiktoken')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #653d902292a9b524 Environment-variable access.
repo/backend/open_webui/config.py:1036
TIKTOKEN_ENCODING_NAME = os.getenv('TIKTOKEN_ENCODING_NAME', 'cl100k_base')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #979f8e0f13ff71de Environment-variable access.
repo/backend/open_webui/config.py:1039
CHUNK_SIZE = int(os.getenv('CHUNK_SIZE', '1000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f457a3fde498827c Environment-variable access.
repo/backend/open_webui/config.py:1041
CHUNK_MIN_SIZE_TARGET = int(os.getenv('CHUNK_MIN_SIZE_TARGET', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1cc9f2b58fa6b2f7 Environment-variable access.
repo/backend/open_webui/config.py:1043
CHUNK_OVERLAP = int(os.getenv('CHUNK_OVERLAP', '100'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77ede2ed78f29853 Environment-variable access.
repo/backend/open_webui/config.py:1071
RAG_TEMPLATE = os.getenv('RAG_TEMPLATE', DEFAULT_RAG_TEMPLATE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24a325e74372a976 Environment-variable access.
repo/backend/open_webui/config.py:1073
RAG_OPENAI_API_BASE_URL = os.getenv('RAG_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69265f27fb4848e5 Environment-variable access.
repo/backend/open_webui/config.py:1074
RAG_OPENAI_API_KEY = os.getenv('RAG_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2ecb552c74dbb44 Environment-variable access.
repo/backend/open_webui/config.py:1076
RAG_AZURE_OPENAI_BASE_URL = os.getenv('RAG_AZURE_OPENAI_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c36f0985bbc32078 Environment-variable access.
repo/backend/open_webui/config.py:1077
RAG_AZURE_OPENAI_API_KEY = os.getenv('RAG_AZURE_OPENAI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd5f60eaa8456c2c Environment-variable access.
repo/backend/open_webui/config.py:1078
RAG_AZURE_OPENAI_API_VERSION = os.getenv('RAG_AZURE_OPENAI_API_VERSION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fda0c96ee7be8739 Environment-variable access.
repo/backend/open_webui/config.py:1080
RAG_OLLAMA_BASE_URL = os.getenv('RAG_OLLAMA_BASE_URL', OLLAMA_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ddaf5f06734814e Environment-variable access.
repo/backend/open_webui/config.py:1082
RAG_OLLAMA_API_KEY = os.getenv('RAG_OLLAMA_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e842ed4746b4bd0 Environment-variable access.
repo/backend/open_webui/config.py:1086
    os.getenv(
        'ENABLE_LOCAL_WEB_FETCH',
        os.getenv('ENABLE_RAG_LOCAL_WEB_FETCH', 'False'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be759e5557ac2de4 Environment-variable access.
repo/backend/open_webui/config.py:1088
        os.getenv('ENABLE_RAG_LOCAL_WEB_FETCH', 'False'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0a90e69a0938497 Environment-variable access.
repo/backend/open_webui/config.py:1104
web_fetch_filter_list = os.getenv('WEB_FETCH_FILTER_LIST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4bcb1a2e9bb1a23 Environment-variable access.
repo/backend/open_webui/config.py:1113
YOUTUBE_LOADER_LANGUAGE = os.getenv('YOUTUBE_LOADER_LANGUAGE', 'en').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8272b21c7c3ec7ba Environment-variable access.
repo/backend/open_webui/config.py:1115
YOUTUBE_LOADER_PROXY_URL = os.getenv('YOUTUBE_LOADER_PROXY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5eefb72ada1097e2 Environment-variable access.
repo/backend/open_webui/config.py:1122
ENABLE_WEB_SEARCH = os.getenv('ENABLE_WEB_SEARCH', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a7e091bdd35a545 Environment-variable access.
repo/backend/open_webui/config.py:1124
ENABLE_WEB_SEARCH_CONFIRMATION = os.getenv('ENABLE_WEB_SEARCH_CONFIRMATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb2bfdca0179c01d Environment-variable access.
repo/backend/open_webui/config.py:1126
WEB_SEARCH_CONFIRMATION_CONTENT = os.getenv(
    'WEB_SEARCH_CONFIRMATION_CONTENT',
    'Your query will be sent to the configured web search provider.',
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6fb29d2e7a7e6d8 Environment-variable access.
repo/backend/open_webui/config.py:1131
WEB_SEARCH_ENGINE = os.getenv('WEB_SEARCH_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b11b349e929c3a0 Environment-variable access.
repo/backend/open_webui/config.py:1134
    os.getenv('BYPASS_WEB_SEARCH_EMBEDDING_AND_RETRIEVAL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #792bfb8127727132 Environment-variable access.
repo/backend/open_webui/config.py:1138
BYPASS_WEB_SEARCH_WEB_LOADER = os.getenv('BYPASS_WEB_SEARCH_WEB_LOADER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1740a72eb4e4befd Environment-variable access.
repo/backend/open_webui/config.py:1140
WEB_SEARCH_RESULT_COUNT = int(os.getenv('WEB_SEARCH_RESULT_COUNT', '3'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d06887b7e833bca Environment-variable access.
repo/backend/open_webui/config.py:1144
    web_search_domain_filter_list = json.loads(os.getenv('WEB_SEARCH_DOMAIN_FILTER_LIST', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40b87f1b0f5dcadc Environment-variable access.
repo/backend/open_webui/config.py:1157
WEB_SEARCH_CONCURRENT_REQUESTS = int(os.getenv('WEB_SEARCH_CONCURRENT_REQUESTS', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72b127f7b8a62f3e Environment-variable access.
repo/backend/open_webui/config.py:1160
    int(os.getenv('WEB_FETCH_MAX_CONTENT_LENGTH')) if os.getenv('WEB_FETCH_MAX_CONTENT_LENGTH') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16925a46705c8476 Environment-variable access.
repo/backend/open_webui/config.py:1163
WEB_LOADER_ENGINE = os.getenv('WEB_LOADER_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae1557a41a6fa07b Environment-variable access.
repo/backend/open_webui/config.py:1166
WEB_LOADER_CONCURRENT_REQUESTS = int(os.getenv('WEB_LOADER_CONCURRENT_REQUESTS', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #153263a4f3303dfa Environment-variable access.
repo/backend/open_webui/config.py:1168
WEB_LOADER_TIMEOUT = os.getenv('WEB_LOADER_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e194fbac7489940d Environment-variable access.
repo/backend/open_webui/config.py:1171
ENABLE_WEB_LOADER_SSL_VERIFICATION = os.getenv('ENABLE_WEB_LOADER_SSL_VERIFICATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40cb3034eb2901a3 Environment-variable access.
repo/backend/open_webui/config.py:1173
WEB_SEARCH_TRUST_ENV = os.getenv('WEB_SEARCH_TRUST_ENV', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d5e7e9d18e67f05 Environment-variable access.
repo/backend/open_webui/config.py:1176
OLLAMA_CLOUD_WEB_SEARCH_API_KEY = os.getenv('OLLAMA_CLOUD_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd7ed223e01e76a3 Environment-variable access.
repo/backend/open_webui/config.py:1178
SEARXNG_QUERY_URL = os.getenv('SEARXNG_QUERY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8febddc5e940eacf Environment-variable access.
repo/backend/open_webui/config.py:1180
SEARXNG_LANGUAGE = os.getenv('SEARXNG_LANGUAGE', 'all')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4e3383c8e7a6643 Environment-variable access.
repo/backend/open_webui/config.py:1182
YACY_QUERY_URL = os.getenv('YACY_QUERY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a43fc698dafdd00a Environment-variable access.
repo/backend/open_webui/config.py:1184
YACY_USERNAME = os.getenv('YACY_USERNAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e23fc256009274c3 Environment-variable access.
repo/backend/open_webui/config.py:1186
YACY_PASSWORD = os.getenv('YACY_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6a241e092c1d05b Environment-variable access.
repo/backend/open_webui/config.py:1188
GOOGLE_PSE_API_KEY = os.getenv('GOOGLE_PSE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd286f6ea023ce3f Environment-variable access.
repo/backend/open_webui/config.py:1190
GOOGLE_PSE_ENGINE_ID = os.getenv('GOOGLE_PSE_ENGINE_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9144ff8bf7e4eda Environment-variable access.
repo/backend/open_webui/config.py:1192
BRAVE_SEARCH_API_KEY = os.getenv('BRAVE_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b86ad51c462b43b Environment-variable access.
repo/backend/open_webui/config.py:1194
BRAVE_SEARCH_CONTEXT_TOKENS = int(os.getenv('BRAVE_SEARCH_CONTEXT_TOKENS', '8192'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81f2ce34d57c0ee6 Environment-variable access.
repo/backend/open_webui/config.py:1196
KAGI_SEARCH_API_KEY = os.getenv('KAGI_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9b98511586c8715 Environment-variable access.
repo/backend/open_webui/config.py:1198
MOJEEK_SEARCH_API_KEY = os.getenv('MOJEEK_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7005c8d7d0e00a97 Environment-variable access.
repo/backend/open_webui/config.py:1200
BOCHA_SEARCH_API_KEY = os.getenv('BOCHA_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46f7d8f65df5b626 Environment-variable access.
repo/backend/open_webui/config.py:1202
SERPSTACK_API_KEY = os.getenv('SERPSTACK_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a4876adb4724332 Environment-variable access.
repo/backend/open_webui/config.py:1204
SERPSTACK_HTTPS = os.getenv('SERPSTACK_HTTPS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e3a80b302a5d932 Environment-variable access.
repo/backend/open_webui/config.py:1206
SERPER_API_KEY = os.getenv('SERPER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f83d5fcdd87df3c1 Environment-variable access.
repo/backend/open_webui/config.py:1208
SERPLY_API_KEY = os.getenv('SERPLY_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88120933490e6718 Environment-variable access.
repo/backend/open_webui/config.py:1210
SERPHOUSE_API_KEY = os.getenv('SERPHOUSE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4b24f9aa04704e0 Environment-variable access.
repo/backend/open_webui/config.py:1212
SERPHOUSE_DOMAIN = os.getenv('SERPHOUSE_DOMAIN', 'google.com')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #552e07cedf367cfa Environment-variable access.
repo/backend/open_webui/config.py:1214
DDGS_BACKEND = os.getenv('DDGS_BACKEND', 'auto')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfad6de27d2a424c Environment-variable access.
repo/backend/open_webui/config.py:1216
JINA_API_KEY = os.getenv('JINA_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faafec748f5ddae9 Environment-variable access.
repo/backend/open_webui/config.py:1218
JINA_API_BASE_URL = os.getenv('JINA_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cc4b7bbe0c07852 Environment-variable access.
repo/backend/open_webui/config.py:1220
SEARCHAPI_API_KEY = os.getenv('SEARCHAPI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d224764500f3021 Environment-variable access.
repo/backend/open_webui/config.py:1222
SEARCHAPI_ENGINE = os.getenv('SEARCHAPI_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d919ba16106c861 Environment-variable access.
repo/backend/open_webui/config.py:1224
SERPAPI_API_KEY = os.getenv('SERPAPI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0fb91609646ed3b Environment-variable access.
repo/backend/open_webui/config.py:1226
SERPAPI_ENGINE = os.getenv('SERPAPI_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f5a02e0eda8bb9b Environment-variable access.
repo/backend/open_webui/config.py:1228
BING_SEARCH_V7_ENDPOINT = os.getenv('BING_SEARCH_V7_ENDPOINT', 'https://api.bing.microsoft.com/v7.0/search')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ee23a5673699a9f Environment-variable access.
repo/backend/open_webui/config.py:1230
BING_SEARCH_V7_SUBSCRIPTION_KEY = os.getenv('BING_SEARCH_V7_SUBSCRIPTION_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84a086cca14a45ab Environment-variable access.
repo/backend/open_webui/config.py:1232
AZURE_AI_SEARCH_API_KEY = os.getenv('AZURE_AI_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97d5521441997d27 Environment-variable access.
repo/backend/open_webui/config.py:1234
AZURE_AI_SEARCH_ENDPOINT = os.getenv('AZURE_AI_SEARCH_ENDPOINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a462e8dbbf8729fb Environment-variable access.
repo/backend/open_webui/config.py:1236
AZURE_AI_SEARCH_INDEX_NAME = os.getenv('AZURE_AI_SEARCH_INDEX_NAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e933e31f61ba751 Environment-variable access.
repo/backend/open_webui/config.py:1238
EXA_API_KEY = os.getenv('EXA_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aaebbfae0c4adb46 Environment-variable access.
repo/backend/open_webui/config.py:1240
PERPLEXITY_API_KEY = os.getenv('PERPLEXITY_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58904b7a140c9965 Environment-variable access.
repo/backend/open_webui/config.py:1242
PERPLEXITY_MODEL = os.getenv('PERPLEXITY_MODEL', 'sonar')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f18d375aafbd980 Environment-variable access.
repo/backend/open_webui/config.py:1244
PERPLEXITY_SEARCH_CONTEXT_USAGE = os.getenv('PERPLEXITY_SEARCH_CONTEXT_USAGE', 'medium')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd9d2b9730ffd96e Environment-variable access.
repo/backend/open_webui/config.py:1246
PERPLEXITY_SEARCH_API_URL = os.getenv('PERPLEXITY_SEARCH_API_URL', 'https://api.perplexity.ai/search')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f169b6fd5ae77168 Environment-variable access.
repo/backend/open_webui/config.py:1248
MICROSOFT_WEB_IQ_API_BASE_URL = os.getenv('MICROSOFT_WEB_IQ_API_BASE_URL', 'https://api.microsoft.ai/v3')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8768edc09f446723 Environment-variable access.
repo/backend/open_webui/config.py:1250
MICROSOFT_WEB_IQ_API_KEY = os.getenv('MICROSOFT_WEB_IQ_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55454469a0453c8c Environment-variable access.
repo/backend/open_webui/config.py:1252
MICROSOFT_WEB_IQ_LANGUAGE = os.getenv('MICROSOFT_WEB_IQ_LANGUAGE', 'en')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f3106066c2aabe7 Environment-variable access.
repo/backend/open_webui/config.py:1254
SOUGOU_API_SID = os.getenv('SOUGOU_API_SID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfd94d6bfde9449e Environment-variable access.
repo/backend/open_webui/config.py:1256
SOUGOU_API_SK = os.getenv('SOUGOU_API_SK', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85bdee2a1282c863 Environment-variable access.
repo/backend/open_webui/config.py:1258
TAVILY_API_KEY = os.getenv('TAVILY_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bacb1939032a9cd Environment-variable access.
repo/backend/open_webui/config.py:1260
TAVILY_EXTRACT_DEPTH = os.getenv('TAVILY_EXTRACT_DEPTH', 'basic')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba535c4d9494a5af Environment-variable access.
repo/backend/open_webui/config.py:1262
PLAYWRIGHT_WS_URL = os.getenv('PLAYWRIGHT_WS_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19cafefc0f5db35f Environment-variable access.
repo/backend/open_webui/config.py:1264
PLAYWRIGHT_TIMEOUT = int(os.getenv('PLAYWRIGHT_TIMEOUT', '10000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe5ea440d4315e42 Environment-variable access.
repo/backend/open_webui/config.py:1266
FIRECRAWL_API_KEY = os.getenv('FIRECRAWL_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72f3e6499d1dc7b7 Environment-variable access.
repo/backend/open_webui/config.py:1268
FIRECRAWL_API_BASE_URL = os.getenv('FIRECRAWL_API_BASE_URL', 'https://api.firecrawl.dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77293911e55dd218 Environment-variable access.
repo/backend/open_webui/config.py:1270
FIRECRAWL_TIMEOUT = os.getenv('FIRECRAWL_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc09c6c4f7a8006d Environment-variable access.
repo/backend/open_webui/config.py:1272
EXTERNAL_WEB_SEARCH_URL = os.getenv('EXTERNAL_WEB_SEARCH_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55d8a51f7272da3f Environment-variable access.
repo/backend/open_webui/config.py:1274
EXTERNAL_WEB_SEARCH_API_KEY = os.getenv('EXTERNAL_WEB_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed3c042720e426ac Environment-variable access.
repo/backend/open_webui/config.py:1276
EXTERNAL_WEB_LOADER_URL = os.getenv('EXTERNAL_WEB_LOADER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2334b607e2f01d8b Environment-variable access.
repo/backend/open_webui/config.py:1278
EXTERNAL_WEB_LOADER_API_KEY = os.getenv('EXTERNAL_WEB_LOADER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71d781fb3e587a8e Environment-variable access.
repo/backend/open_webui/config.py:1280
YANDEX_WEB_SEARCH_URL = os.getenv('YANDEX_WEB_SEARCH_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a22cc6babf32b4c8 Environment-variable access.
repo/backend/open_webui/config.py:1282
YANDEX_WEB_SEARCH_API_KEY = os.getenv('YANDEX_WEB_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db8e46bad56b8e4c Environment-variable access.
repo/backend/open_webui/config.py:1284
YANDEX_WEB_SEARCH_CONFIG = os.getenv('YANDEX_WEB_SEARCH_CONFIG', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a507ae15e6fe007 Environment-variable access.
repo/backend/open_webui/config.py:1286
YOUCOM_API_KEY = os.getenv('YOUCOM_API_KEY', os.getenv('YDC_API_KEY', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d728863967d87022 Environment-variable access.
repo/backend/open_webui/config.py:1288
LINKUP_API_KEY = os.getenv('LINKUP_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #638ae7e0a951524d Environment-variable access.
repo/backend/open_webui/config.py:1290
linkup_search_params = os.getenv('LINKUP_SEARCH_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acdefbde0c7af392 Environment-variable access.
repo/backend/open_webui/config.py:1302
ENABLE_IMAGE_GENERATION = os.getenv('ENABLE_IMAGE_GENERATION', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccaed8a42f241437 Environment-variable access.
repo/backend/open_webui/config.py:1304
IMAGE_GENERATION_ENGINE = os.getenv('IMAGE_GENERATION_ENGINE', 'openai')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f1532cd8d917a46 Environment-variable access.
repo/backend/open_webui/config.py:1306
IMAGE_GENERATION_MODEL = os.getenv('IMAGE_GENERATION_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #079f411628e757c9 Environment-variable access.
repo/backend/open_webui/config.py:1309
IMAGE_AUTO_SIZE_MODELS_REGEX_PATTERN = os.getenv('IMAGE_AUTO_SIZE_MODELS_REGEX_PATTERN', '^gpt-image')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e3fc3c08e608599 Environment-variable access.
repo/backend/open_webui/config.py:1312
IMAGE_URL_RESPONSE_MODELS_REGEX_PATTERN = os.getenv('IMAGE_URL_RESPONSE_MODELS_REGEX_PATTERN', '^gpt-image')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98f6564968e26207 Environment-variable access.
repo/backend/open_webui/config.py:1314
IMAGE_SIZE = os.getenv('IMAGE_SIZE', '512x512')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d20d0c9dc7de7836 Environment-variable access.
repo/backend/open_webui/config.py:1316
IMAGE_STEPS = int(os.getenv('IMAGE_STEPS', 50))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c8eae3a2b55b226 Environment-variable access.
repo/backend/open_webui/config.py:1318
ENABLE_IMAGE_PROMPT_GENERATION = os.getenv('ENABLE_IMAGE_PROMPT_GENERATION', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #33e635701eb70406 Environment-variable access.
repo/backend/open_webui/config.py:1320
AUTOMATIC1111_BASE_URL = os.getenv('AUTOMATIC1111_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #325c4b9156387570 Environment-variable access.
repo/backend/open_webui/config.py:1321
AUTOMATIC1111_API_AUTH = os.getenv('AUTOMATIC1111_API_AUTH', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1df3f1c129dafc9d Environment-variable access.
repo/backend/open_webui/config.py:1323
automatic1111_params = os.getenv('AUTOMATIC1111_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f43e5bf7bd29301 Environment-variable access.
repo/backend/open_webui/config.py:1331
COMFYUI_BASE_URL = os.getenv('COMFYUI_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e503862f8a4e31ef Environment-variable access.
repo/backend/open_webui/config.py:1333
COMFYUI_API_KEY = os.getenv('COMFYUI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9968c7b96d5d6638 Environment-variable access.
repo/backend/open_webui/config.py:1446
COMFYUI_WORKFLOW = os.getenv('COMFYUI_WORKFLOW', COMFYUI_DEFAULT_WORKFLOW)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98a9de56ce905f1a Environment-variable access.
repo/backend/open_webui/config.py:1448
comfyui_workflow_nodes = os.getenv('COMFYUI_WORKFLOW_NODES', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #455893892dffc2b7 Environment-variable access.
repo/backend/open_webui/config.py:1456
IMAGES_OPENAI_API_BASE_URL = os.getenv('IMAGES_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fac454829e7e6dd1 Environment-variable access.
repo/backend/open_webui/config.py:1457
IMAGES_OPENAI_API_VERSION = os.getenv('IMAGES_OPENAI_API_VERSION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caa1d6e9c843a8ab Environment-variable access.
repo/backend/open_webui/config.py:1459
IMAGES_OPENAI_API_KEY = os.getenv('IMAGES_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb12eed0b3b59858 Environment-variable access.
repo/backend/open_webui/config.py:1461
images_openai_params = os.getenv('IMAGES_OPENAI_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e41e612cdc167ff Environment-variable access.
repo/backend/open_webui/config.py:1471
IMAGES_GEMINI_API_BASE_URL = os.getenv('IMAGES_GEMINI_API_BASE_URL', GEMINI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19fef7515c66ba1b Environment-variable access.
repo/backend/open_webui/config.py:1472
IMAGES_GEMINI_API_KEY = os.getenv('IMAGES_GEMINI_API_KEY', GEMINI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6ab24bc0b9f88e7 Environment-variable access.
repo/backend/open_webui/config.py:1474
IMAGES_GEMINI_ENDPOINT_METHOD = os.getenv('IMAGES_GEMINI_ENDPOINT_METHOD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131360d22e1e8406 Environment-variable access.
repo/backend/open_webui/config.py:1476
ENABLE_IMAGE_EDIT = os.getenv('ENABLE_IMAGE_EDIT', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ff616c90ce1efe9 Environment-variable access.
repo/backend/open_webui/config.py:1478
IMAGE_EDIT_ENGINE = os.getenv('IMAGE_EDIT_ENGINE', 'openai')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66a87355669fb290 Environment-variable access.
repo/backend/open_webui/config.py:1480
IMAGE_EDIT_MODEL = os.getenv('IMAGE_EDIT_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbabee7356aeaa3c Environment-variable access.
repo/backend/open_webui/config.py:1482
IMAGE_EDIT_SIZE = os.getenv('IMAGE_EDIT_SIZE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d874d17b8294591b Environment-variable access.
repo/backend/open_webui/config.py:1484
ENABLE_OPENAI_IMAGE_EDIT_NORMALIZATION = os.getenv('ENABLE_OPENAI_IMAGE_EDIT_NORMALIZATION', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b848eed5c1525ec Environment-variable access.
repo/backend/open_webui/config.py:1486
IMAGES_EDIT_OPENAI_API_BASE_URL = os.getenv('IMAGES_EDIT_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc346616e30c2040 Environment-variable access.
repo/backend/open_webui/config.py:1487
IMAGES_EDIT_OPENAI_API_VERSION = os.getenv('IMAGES_EDIT_OPENAI_API_VERSION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #298cb0b86e4b4ad2 Environment-variable access.
repo/backend/open_webui/config.py:1489
IMAGES_EDIT_OPENAI_API_KEY = os.getenv('IMAGES_EDIT_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #327d2a31db0ac84d Environment-variable access.
repo/backend/open_webui/config.py:1491
IMAGES_EDIT_GEMINI_API_BASE_URL = os.getenv('IMAGES_EDIT_GEMINI_API_BASE_URL', GEMINI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac6c34c4d5a11830 Environment-variable access.
repo/backend/open_webui/config.py:1492
IMAGES_EDIT_GEMINI_API_KEY = os.getenv('IMAGES_EDIT_GEMINI_API_KEY', GEMINI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb64667dbf5114a6 Environment-variable access.
repo/backend/open_webui/config.py:1495
IMAGES_EDIT_COMFYUI_BASE_URL = os.getenv('IMAGES_EDIT_COMFYUI_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a27dd041067a397e Environment-variable access.
repo/backend/open_webui/config.py:1496
IMAGES_EDIT_COMFYUI_API_KEY = os.getenv('IMAGES_EDIT_COMFYUI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c40aaabb3bffb865 Environment-variable access.
repo/backend/open_webui/config.py:1498
IMAGES_EDIT_COMFYUI_WORKFLOW = os.getenv('IMAGES_EDIT_COMFYUI_WORKFLOW', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8df8bbf3eaf8514d Environment-variable access.
repo/backend/open_webui/config.py:1500
images_edit_comfyui_workflow_nodes = os.getenv('IMAGES_EDIT_COMFYUI_WORKFLOW_NODES', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08a621a7dc1469c9 Environment-variable access.
repo/backend/open_webui/config.py:1513
WHISPER_MODEL = os.getenv('WHISPER_MODEL', 'base')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cb640c3a5709787 Environment-variable access.
repo/backend/open_webui/config.py:1515
WHISPER_COMPUTE_TYPE = os.getenv('WHISPER_COMPUTE_TYPE', 'int8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b47cfef4f0999c3 Environment-variable access.
repo/backend/open_webui/config.py:1516
WHISPER_MODEL_DIR = os.getenv('WHISPER_MODEL_DIR', f'{CACHE_DIR}/whisper/models')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a094fd1bb764ed51 Environment-variable access.
repo/backend/open_webui/config.py:1517
WHISPER_MODEL_AUTO_UPDATE = not OFFLINE_MODE and os.getenv('WHISPER_MODEL_AUTO_UPDATE', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fab84ea1b25558c0 Environment-variable access.
repo/backend/open_webui/config.py:1519
WHISPER_VAD_FILTER = os.getenv('WHISPER_VAD_FILTER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f89c536613fc0e12 Environment-variable access.
repo/backend/open_webui/config.py:1521
WHISPER_MULTILINGUAL = os.getenv('WHISPER_MULTILINGUAL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e186b8806d159fff Environment-variable access.
repo/backend/open_webui/config.py:1523
WHISPER_LANGUAGE = os.getenv('WHISPER_LANGUAGE', '').lower() or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2269b30cfd066b1e Environment-variable access.
repo/backend/open_webui/config.py:1526
DEEPGRAM_API_KEY = os.getenv('DEEPGRAM_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f92ecc3c606b0b4 Environment-variable access.
repo/backend/open_webui/config.py:1529
ELEVENLABS_API_BASE_URL = os.getenv('ELEVENLABS_API_BASE_URL', 'https://api.elevenlabs.io')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e472c6d201f0e155 Environment-variable access.
repo/backend/open_webui/config.py:1531
AUDIO_STT_OPENAI_API_BASE_URL = os.getenv('AUDIO_STT_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fec1acdb2bba89d5 Environment-variable access.
repo/backend/open_webui/config.py:1533
AUDIO_STT_OPENAI_API_KEY = os.getenv('AUDIO_STT_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b94857c04aef4081 Environment-variable access.
repo/backend/open_webui/config.py:1535
AUDIO_STT_OPENAI_API_REQUEST_FORMAT = os.getenv('AUDIO_STT_OPENAI_API_REQUEST_FORMAT', 'multipart')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1c0400c8102ac54 Environment-variable access.
repo/backend/open_webui/config.py:1537
AUDIO_STT_ENGINE = os.getenv('AUDIO_STT_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be630a289cb5c7b8 Environment-variable access.
repo/backend/open_webui/config.py:1539
AUDIO_STT_MODEL = os.getenv('AUDIO_STT_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57527fd425b0abdc Environment-variable access.
repo/backend/open_webui/config.py:1543
    for content_type in os.getenv('AUDIO_STT_SUPPORTED_CONTENT_TYPES', '').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a67012a3a84635a Environment-variable access.
repo/backend/open_webui/config.py:1549
    for ext in os.getenv(
        'AUDIO_STT_ALLOWED_EXTENSIONS',
        'mp3,wav,m4a,webm,ogg,flac,mp4,mpga,mpeg',
    ).split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c691a04ea9d1a27 Environment-variable access.
repo/backend/open_webui/config.py:1556
AUDIO_STT_AZURE_API_KEY = os.getenv('AUDIO_STT_AZURE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c808530ce8a72b5c Environment-variable access.
repo/backend/open_webui/config.py:1558
AUDIO_STT_AZURE_REGION = os.getenv('AUDIO_STT_AZURE_REGION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bf7706f77e37d17 Environment-variable access.
repo/backend/open_webui/config.py:1560
AUDIO_STT_AZURE_LOCALES = os.getenv('AUDIO_STT_AZURE_LOCALES', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e03dc2673d9b0b3a Environment-variable access.
repo/backend/open_webui/config.py:1562
AUDIO_STT_AZURE_BASE_URL = os.getenv('AUDIO_STT_AZURE_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95608bbec1df57b3 Environment-variable access.
repo/backend/open_webui/config.py:1564
AUDIO_STT_AZURE_MAX_SPEAKERS = os.getenv('AUDIO_STT_AZURE_MAX_SPEAKERS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a8ab2bb1ec598d6 Environment-variable access.
repo/backend/open_webui/config.py:1566
AUDIO_STT_MISTRAL_API_KEY = os.getenv('AUDIO_STT_MISTRAL_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e2bbef73920e410 Environment-variable access.
repo/backend/open_webui/config.py:1568
AUDIO_STT_MISTRAL_API_BASE_URL = os.getenv('AUDIO_STT_MISTRAL_API_BASE_URL', 'https://api.mistral.ai/v1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfa9d1116fc30aef Environment-variable access.
repo/backend/open_webui/config.py:1570
AUDIO_STT_MISTRAL_USE_CHAT_COMPLETIONS = os.getenv('AUDIO_STT_MISTRAL_USE_CHAT_COMPLETIONS', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d88ff747b2a28c8e Environment-variable access.
repo/backend/open_webui/config.py:1572
AUDIO_TTS_OPENAI_API_BASE_URL = os.getenv('AUDIO_TTS_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3b730c71033efef Environment-variable access.
repo/backend/open_webui/config.py:1573
AUDIO_TTS_OPENAI_API_KEY = os.getenv('AUDIO_TTS_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d67200af585baa65 Environment-variable access.
repo/backend/open_webui/config.py:1575
audio_tts_openai_params = os.getenv('AUDIO_TTS_OPENAI_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc8c35fbc03b1995 Environment-variable access.
repo/backend/open_webui/config.py:1584
AUDIO_TTS_API_KEY = os.getenv('AUDIO_TTS_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2356d06675f2037 Environment-variable access.
repo/backend/open_webui/config.py:1586
AUDIO_TTS_ENGINE = os.getenv('AUDIO_TTS_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e47714fea935703e Environment-variable access.
repo/backend/open_webui/config.py:1589
AUDIO_TTS_MODEL = os.getenv('AUDIO_TTS_MODEL', 'tts-1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ff69b942af2e8d5 Environment-variable access.
repo/backend/open_webui/config.py:1591
AUDIO_TTS_VOICE = os.getenv('AUDIO_TTS_VOICE', 'alloy')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7e49315f9a3f493 Environment-variable access.
repo/backend/open_webui/config.py:1593
AUDIO_TTS_SPLIT_ON = os.getenv('AUDIO_TTS_SPLIT_ON', 'punctuation')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #325e0cac3fb1073b Environment-variable access.
repo/backend/open_webui/config.py:1595
AUDIO_TTS_AZURE_SPEECH_REGION = os.getenv('AUDIO_TTS_AZURE_SPEECH_REGION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91e834d942fdd18a Environment-variable access.
repo/backend/open_webui/config.py:1597
AUDIO_TTS_AZURE_SPEECH_BASE_URL = os.getenv('AUDIO_TTS_AZURE_SPEECH_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44873cf4a0258d92 Environment-variable access.
repo/backend/open_webui/config.py:1599
AUDIO_TTS_AZURE_SPEECH_OUTPUT_FORMAT = os.getenv(
    'AUDIO_TTS_AZURE_SPEECH_OUTPUT_FORMAT', 'audio-24khz-160kbitrate-mono-mp3'
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d99f268546d9e525 Environment-variable access.
repo/backend/open_webui/config.py:1603
AUDIO_TTS_MISTRAL_API_KEY = os.getenv('AUDIO_TTS_MISTRAL_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6721335ab7477630 Environment-variable access.
repo/backend/open_webui/config.py:1605
AUDIO_TTS_MISTRAL_API_BASE_URL = os.getenv('AUDIO_TTS_MISTRAL_API_BASE_URL', 'https://api.mistral.ai/v1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aac1513e2308a09b Environment-variable access.
repo/backend/open_webui/config.py:1612
WEBUI_URL = os.getenv('WEBUI_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7b4dcfef0275026 Environment-variable access.
repo/backend/open_webui/config.py:1615
ENABLE_SIGNUP = False if not WEBUI_AUTH else os.getenv('ENABLE_SIGNUP', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eff553648461d32e Environment-variable access.
repo/backend/open_webui/config.py:1617
ENABLE_LOGIN_FORM = os.getenv('ENABLE_LOGIN_FORM', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f586c3f97ccdf3cf Environment-variable access.
repo/backend/open_webui/config.py:1619
ENABLE_PASSWORD_CHANGE_FORM = os.getenv('ENABLE_PASSWORD_CHANGE_FORM', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8c2334d6683cd82 Environment-variable access.
repo/backend/open_webui/config.py:1621
ENABLE_PASSWORD_AUTH = os.getenv('ENABLE_PASSWORD_AUTH', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11abfb13e5a15bc8 Environment-variable access.
repo/backend/open_webui/config.py:1623
DEFAULT_LOCALE = os.getenv('DEFAULT_LOCALE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86ffd03999897426 Environment-variable access.
repo/backend/open_webui/config.py:1625
DEFAULT_MODELS = os.getenv('DEFAULT_MODELS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ff7662a02129743 Environment-variable access.
repo/backend/open_webui/config.py:1627
DEFAULT_PINNED_MODELS = os.getenv('DEFAULT_PINNED_MODELS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4ecbd0c2e415452 Environment-variable access.
repo/backend/open_webui/config.py:1630
    default_prompt_suggestions = json.loads(os.getenv('DEFAULT_PROMPT_SUGGESTIONS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7a07d5ff8b53de2 Environment-variable access.
repo/backend/open_webui/config.py:1670
    default_model_metadata = json.loads(os.getenv('DEFAULT_MODEL_METADATA', '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb564d4d9aea3e9f Environment-variable access.
repo/backend/open_webui/config.py:1678
    default_model_params = json.loads(os.getenv('DEFAULT_MODEL_PARAMS', '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #099f030d691e66ea Environment-variable access.
repo/backend/open_webui/config.py:1685
DEFAULT_USER_ROLE = os.getenv('DEFAULT_USER_ROLE', 'pending')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcd34fe5b022dbf1 Environment-variable access.
repo/backend/open_webui/config.py:1687
DEFAULT_GROUP_ID = os.getenv('DEFAULT_GROUP_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b262aebbad87bac Environment-variable access.
repo/backend/open_webui/config.py:1689
PENDING_USER_OVERLAY_TITLE = os.getenv('PENDING_USER_OVERLAY_TITLE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c938ba83789d2289 Environment-variable access.
repo/backend/open_webui/config.py:1691
PENDING_USER_OVERLAY_CONTENT = os.getenv('PENDING_USER_OVERLAY_CONTENT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f270d0d52fc7f61 Environment-variable access.
repo/backend/open_webui/config.py:1694
RESPONSE_WATERMARK = os.getenv('RESPONSE_WATERMARK', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65d629fa7a734abf Environment-variable access.
repo/backend/open_webui/config.py:1696
IFRAME_CSP = os.getenv('IFRAME_CSP', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23a7328f442b8471 Environment-variable access.
repo/backend/open_webui/config.py:1699
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3199f8ddc67a5653 Environment-variable access.
repo/backend/open_webui/config.py:1703
    os.getenv('USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #504024db7c3ea81b Environment-variable access.
repo/backend/open_webui/config.py:1707
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #967696cc4cfe42c8 Environment-variable access.
repo/backend/open_webui/config.py:1711
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9fb2b379e3e3648 Environment-variable access.
repo/backend/open_webui/config.py:1715
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64a914d679e8b90c Environment-variable access.
repo/backend/open_webui/config.py:1719
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c63f006c9e5e04fb Environment-variable access.
repo/backend/open_webui/config.py:1723
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d603c3ca29c45341 Environment-variable access.
repo/backend/open_webui/config.py:1727
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a743f09ab2b9e58e Environment-variable access.
repo/backend/open_webui/config.py:1731
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3988992abbcbad29 Environment-variable access.
repo/backend/open_webui/config.py:1735
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e22a1c9f8cfc8785 Environment-variable access.
repo/backend/open_webui/config.py:1739
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e6cba645b72b157 Environment-variable access.
repo/backend/open_webui/config.py:1743
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0fe0c41a710f1dc Environment-variable access.
repo/backend/open_webui/config.py:1747
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #099d143ee089c2fe Environment-variable access.
repo/backend/open_webui/config.py:1752
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a1f487fca3c3791 Environment-variable access.
repo/backend/open_webui/config.py:1756
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2715f31d8727d936 Environment-variable access.
repo/backend/open_webui/config.py:1760
    os.getenv('USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b94357538b51b9c Environment-variable access.
repo/backend/open_webui/config.py:1764
    os.getenv('USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d776c13164f85e7 Environment-variable access.
repo/backend/open_webui/config.py:1768
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08503b7dc82347df Environment-variable access.
repo/backend/open_webui/config.py:1772
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efc1b0e4f730cdad Environment-variable access.
repo/backend/open_webui/config.py:1777
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d53e52c5186f4e1d Environment-variable access.
repo/backend/open_webui/config.py:1781
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cc5946b9090913c Environment-variable access.
repo/backend/open_webui/config.py:1785
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f0fc969793e5f23 Environment-variable access.
repo/backend/open_webui/config.py:1789
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c40bbd47fb669ef7 Environment-variable access.
repo/backend/open_webui/config.py:1793
USER_PERMISSIONS_NOTES_ALLOW_SHARING = os.getenv('USER_PERMISSIONS_NOTES_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b10bc182d106ad1f Environment-variable access.
repo/backend/open_webui/config.py:1796
    os.getenv('USER_PERMISSIONS_NOTES_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c263afd54ee93c5 Environment-variable access.
repo/backend/open_webui/config.py:1799
USER_PERMISSIONS_FOLDERS_ALLOW_SHARING = os.getenv('USER_PERMISSIONS_FOLDERS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a46695a683a3576 Environment-variable access.
repo/backend/open_webui/config.py:1803
    os.getenv('USER_PERMISSIONS_CALENDAR_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2057b3640bae81c1 Environment-variable access.
repo/backend/open_webui/config.py:1807
    os.getenv('USER_PERMISSIONS_ACCESS_GRANTS_ALLOW_USERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54209ec448c6b67e Environment-variable access.
repo/backend/open_webui/config.py:1811
USER_PERMISSIONS_CHAT_CONTROLS = os.getenv('USER_PERMISSIONS_CHAT_CONTROLS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #726e970ac845b576 Environment-variable access.
repo/backend/open_webui/config.py:1813
USER_PERMISSIONS_CHAT_VALVES = os.getenv('USER_PERMISSIONS_CHAT_VALVES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #177e72a834509b74 Environment-variable access.
repo/backend/open_webui/config.py:1815
USER_PERMISSIONS_CHAT_SYSTEM_PROMPT = os.getenv('USER_PERMISSIONS_CHAT_SYSTEM_PROMPT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cb7360b9e78fd80 Environment-variable access.
repo/backend/open_webui/config.py:1817
USER_PERMISSIONS_CHAT_PARAMS = os.getenv('USER_PERMISSIONS_CHAT_PARAMS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14fbd587fec295ea Environment-variable access.
repo/backend/open_webui/config.py:1819
USER_PERMISSIONS_CHAT_FILE_UPLOAD = os.getenv('USER_PERMISSIONS_CHAT_FILE_UPLOAD', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7eb9e7bc149a64ae Environment-variable access.
repo/backend/open_webui/config.py:1821
USER_PERMISSIONS_CHAT_WEB_UPLOAD = os.getenv('USER_PERMISSIONS_CHAT_WEB_UPLOAD', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7189eccfa2f74adc Environment-variable access.
repo/backend/open_webui/config.py:1823
USER_PERMISSIONS_CHAT_DELETE = os.getenv('USER_PERMISSIONS_CHAT_DELETE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82c41cb6144ceab4 Environment-variable access.
repo/backend/open_webui/config.py:1825
USER_PERMISSIONS_CHAT_DELETE_MESSAGE = os.getenv('USER_PERMISSIONS_CHAT_DELETE_MESSAGE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ceef9bc9ca0e134 Environment-variable access.
repo/backend/open_webui/config.py:1827
USER_PERMISSIONS_CHAT_CONTINUE_RESPONSE = os.getenv('USER_PERMISSIONS_CHAT_CONTINUE_RESPONSE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f6294d6b06ef3f4 Environment-variable access.
repo/backend/open_webui/config.py:1830
    os.getenv('USER_PERMISSIONS_CHAT_REGENERATE_RESPONSE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26f81d32a6ae5b87 Environment-variable access.
repo/backend/open_webui/config.py:1833
USER_PERMISSIONS_CHAT_RATE_RESPONSE = os.getenv('USER_PERMISSIONS_CHAT_RATE_RESPONSE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e06e762cd5c28a49 Environment-variable access.
repo/backend/open_webui/config.py:1835
USER_PERMISSIONS_CHAT_EDIT = os.getenv('USER_PERMISSIONS_CHAT_EDIT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6e5591ca424aaf2 Environment-variable access.
repo/backend/open_webui/config.py:1837
USER_PERMISSIONS_CHAT_SHARE = os.getenv('USER_PERMISSIONS_CHAT_SHARE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #440aab4f7205db16 Environment-variable access.
repo/backend/open_webui/config.py:1840
    os.getenv('USER_PERMISSIONS_CHAT_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67eb4b429306bfc3 Environment-variable access.
repo/backend/open_webui/config.py:1843
USER_PERMISSIONS_CHAT_EXPORT = os.getenv('USER_PERMISSIONS_CHAT_EXPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #961e744d9fd94eb9 Environment-variable access.
repo/backend/open_webui/config.py:1845
USER_PERMISSIONS_CHAT_IMPORT = os.getenv('USER_PERMISSIONS_CHAT_IMPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d93cfb74ff011be Environment-variable access.
repo/backend/open_webui/config.py:1847
USER_PERMISSIONS_CHAT_STT = os.getenv('USER_PERMISSIONS_CHAT_STT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b30c47a803061968 Environment-variable access.
repo/backend/open_webui/config.py:1849
USER_PERMISSIONS_CHAT_TTS = os.getenv('USER_PERMISSIONS_CHAT_TTS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb153318da093de9 Environment-variable access.
repo/backend/open_webui/config.py:1851
USER_PERMISSIONS_CHAT_CALL = os.getenv('USER_PERMISSIONS_CHAT_CALL', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10c7f2ee501e471e Environment-variable access.
repo/backend/open_webui/config.py:1853
USER_PERMISSIONS_CHAT_MULTIPLE_MODELS = os.getenv('USER_PERMISSIONS_CHAT_MULTIPLE_MODELS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #816b50f730b88bd4 Environment-variable access.
repo/backend/open_webui/config.py:1855
USER_PERMISSIONS_CHAT_TEMPORARY = os.getenv('USER_PERMISSIONS_CHAT_TEMPORARY', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8fdbedc232beaca Environment-variable access.
repo/backend/open_webui/config.py:1858
    os.getenv('USER_PERMISSIONS_CHAT_TEMPORARY_ENFORCED', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6de1fff648e0acc1 Environment-variable access.
repo/backend/open_webui/config.py:1863
    os.getenv('USER_PERMISSIONS_FEATURES_DIRECT_TOOL_SERVERS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3cd0c01f7a362ad Environment-variable access.
repo/backend/open_webui/config.py:1866
USER_PERMISSIONS_FEATURES_WEB_SEARCH = os.getenv('USER_PERMISSIONS_FEATURES_WEB_SEARCH', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c81a1a611880b66 Environment-variable access.
repo/backend/open_webui/config.py:1869
    os.getenv('USER_PERMISSIONS_FEATURES_IMAGE_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ded26d6797db6ba5 Environment-variable access.
repo/backend/open_webui/config.py:1873
    os.getenv('USER_PERMISSIONS_FEATURES_CODE_INTERPRETER', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e84648031dae56c Environment-variable access.
repo/backend/open_webui/config.py:1876
USER_PERMISSIONS_FEATURES_FOLDERS = os.getenv('USER_PERMISSIONS_FEATURES_FOLDERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dcd92e2df8feef8 Environment-variable access.
repo/backend/open_webui/config.py:1878
USER_PERMISSIONS_FEATURES_NOTES = os.getenv('USER_PERMISSIONS_FEATURES_NOTES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e7088d47e6abf4b Environment-variable access.
repo/backend/open_webui/config.py:1880
USER_PERMISSIONS_FEATURES_CHANNELS = os.getenv('USER_PERMISSIONS_FEATURES_CHANNELS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bc884ee9822fe82 Environment-variable access.
repo/backend/open_webui/config.py:1882
USER_PERMISSIONS_FEATURES_API_KEYS = os.getenv('USER_PERMISSIONS_FEATURES_API_KEYS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b606464bec6d51e5 Environment-variable access.
repo/backend/open_webui/config.py:1884
USER_PERMISSIONS_FEATURES_MEMORIES = os.getenv('USER_PERMISSIONS_FEATURES_MEMORIES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57bad7a6f9f06259 Environment-variable access.
repo/backend/open_webui/config.py:1886
USER_PERMISSIONS_FEATURES_AUTOMATIONS = os.getenv('USER_PERMISSIONS_FEATURES_AUTOMATIONS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #839691b455379893 Environment-variable access.
repo/backend/open_webui/config.py:1888
USER_PERMISSIONS_FEATURES_CALENDAR = os.getenv('USER_PERMISSIONS_FEATURES_CALENDAR', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76b1df20ad15f9f5 Environment-variable access.
repo/backend/open_webui/config.py:1891
    os.getenv('USER_PERMISSIONS_FEATURES_USER_WEBHOOKS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd4d5b12dc91bf7e Environment-variable access.
repo/backend/open_webui/config.py:1895
USER_PERMISSIONS_SETTINGS_INTERFACE = os.getenv('USER_PERMISSIONS_SETTINGS_INTERFACE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af8a72e78f8a6942 Environment-variable access.
repo/backend/open_webui/config.py:1980
ENABLE_FOLDERS = os.getenv('ENABLE_FOLDERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e767b11b65e7c166 Environment-variable access.
repo/backend/open_webui/config.py:1982
FOLDER_MAX_FILE_COUNT = os.getenv('FOLDER_MAX_FILE_COUNT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7baaf483b6b1607a Environment-variable access.
repo/backend/open_webui/config.py:1984
ENABLE_CHANNELS = os.getenv('ENABLE_CHANNELS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97054f312320df54 Environment-variable access.
repo/backend/open_webui/config.py:1986
ENABLE_CALENDAR = os.getenv('ENABLE_CALENDAR', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2108f80e90b04ea Environment-variable access.
repo/backend/open_webui/config.py:1988
ENABLE_AUTOMATIONS = os.getenv('ENABLE_AUTOMATIONS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f7508fea3d4ab16 Environment-variable access.
repo/backend/open_webui/config.py:1990
AUTOMATION_MAX_COUNT = os.getenv('AUTOMATION_MAX_COUNT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6906da736ec5acf5 Environment-variable access.
repo/backend/open_webui/config.py:1992
AUTOMATION_MIN_INTERVAL = os.getenv('AUTOMATION_MIN_INTERVAL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c7096a6789eff4f Environment-variable access.
repo/backend/open_webui/config.py:1994
AUTOMATION_AUTH_TOKEN_EXPIRES_IN = os.getenv('AUTOMATION_AUTH_TOKEN_EXPIRES_IN', '1h')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95e41a895a4975ac Environment-variable access.
repo/backend/open_webui/config.py:1996
ENABLE_NOTES = os.getenv('ENABLE_NOTES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fccf5ce34b92c507 Environment-variable access.
repo/backend/open_webui/config.py:1998
ENABLE_USER_STATUS = os.getenv('ENABLE_USER_STATUS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #589e22fdf0eb33ca Environment-variable access.
repo/backend/open_webui/config.py:2000
ENABLE_EVALUATION_ARENA_MODELS = os.getenv('ENABLE_EVALUATION_ARENA_MODELS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3473d2d66146c925 Environment-variable access.
repo/backend/open_webui/config.py:2002
    evaluation_arena_models = json.loads(os.getenv('EVALUATION_ARENA_MODELS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02b8b0758aa05774 Environment-variable access.
repo/backend/open_webui/config.py:2023
WEBHOOK_URL = os.getenv('WEBHOOK_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace44dd2c007502d Environment-variable access.
repo/backend/open_webui/config.py:2025
ENABLE_ADMIN_EXPORT = os.getenv('ENABLE_ADMIN_EXPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a442aef69a7cff1 Environment-variable access.
repo/backend/open_webui/config.py:2027
ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS = os.getenv('ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4380a10c618986f8 Environment-variable access.
repo/backend/open_webui/config.py:2030
    os.getenv(
        'BYPASS_ADMIN_ACCESS_CONTROL',
        os.getenv('ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS', 'True'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #467c7f6cfcd823ec Environment-variable access.
repo/backend/open_webui/config.py:2032
        os.getenv('ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS', 'True'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b40081906209e8f Environment-variable access.
repo/backend/open_webui/config.py:2037
ENABLE_ADMIN_CHAT_ACCESS = os.getenv('ENABLE_ADMIN_CHAT_ACCESS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87595b72a755aa96 Environment-variable access.
repo/backend/open_webui/config.py:2039
ENABLE_ADMIN_ANALYTICS = os.getenv('ENABLE_ADMIN_ANALYTICS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b284bcf4e1c6cee Environment-variable access.
repo/backend/open_webui/config.py:2041
ENABLE_COMMUNITY_SHARING = os.getenv('ENABLE_COMMUNITY_SHARING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95b4a35b960285bd Environment-variable access.
repo/backend/open_webui/config.py:2043
ENABLE_MESSAGE_RATING = os.getenv('ENABLE_MESSAGE_RATING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f762b6738796c921 Environment-variable access.
repo/backend/open_webui/config.py:2045
ENABLE_USER_WEBHOOKS = os.getenv('ENABLE_USER_WEBHOOKS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15ba6d8d27f949ce Environment-variable access.
repo/backend/open_webui/config.py:2048
THREAD_POOL_SIZE = os.getenv('THREAD_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8abb0d2730ef434f Environment-variable access.
repo/backend/open_webui/config.py:2078
CORS_ALLOW_ORIGIN = os.getenv('CORS_ALLOW_ORIGIN', '*').split(';')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60d2a763e125649d Environment-variable access.
repo/backend/open_webui/config.py:2083
CORS_ALLOW_CUSTOM_SCHEME = os.getenv('CORS_ALLOW_CUSTOM_SCHEME', '').split(';')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2a9877f25dab99b Environment-variable access.
repo/backend/open_webui/config.py:2104
    banners = json.loads(os.getenv('WEBUI_BANNERS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a8f8fda90f6c10c Environment-variable access.
repo/backend/open_webui/config.py:2113
SHOW_ADMIN_DETAILS = os.getenv('SHOW_ADMIN_DETAILS', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f3bad798cc0bead Environment-variable access.
repo/backend/open_webui/config.py:2115
ADMIN_EMAIL = os.getenv('ADMIN_EMAIL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85b2bad9af58c3cb Environment-variable access.
repo/backend/open_webui/config.py:2123
TASK_MODEL = os.getenv('TASK_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78f9364ec3e33b92 Environment-variable access.
repo/backend/open_webui/config.py:2125
TASK_MODEL_EXTERNAL = os.getenv('TASK_MODEL_EXTERNAL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80e3506dd4b06ccf Environment-variable access.
repo/backend/open_webui/config.py:2127
ENABLE_CONTEXT_COMPACTION = os.getenv('ENABLE_CONTEXT_COMPACTION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7217145b612feaf Environment-variable access.
repo/backend/open_webui/config.py:2129
CONTEXT_COMPACTION_TOKEN_THRESHOLD = int(os.getenv('CONTEXT_COMPACTION_TOKEN_THRESHOLD', '80000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2928cecc9f60e2ef Environment-variable access.
repo/backend/open_webui/config.py:2131
CONTEXT_COMPACTION_PROMPT_TEMPLATE = os.getenv('CONTEXT_COMPACTION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd5e913d4cb469b0 Environment-variable access.
repo/backend/open_webui/config.py:2133
TITLE_GENERATION_PROMPT_TEMPLATE = os.getenv('TITLE_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90e492d94eec3350 Environment-variable access.
repo/backend/open_webui/config.py:2159
TAGS_GENERATION_PROMPT_TEMPLATE = os.getenv('TAGS_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04b56cd16eabd13d Environment-variable access.
repo/backend/open_webui/config.py:2179
IMAGE_PROMPT_GENERATION_PROMPT_TEMPLATE = os.getenv('IMAGE_PROMPT_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #199fa4f98c81ec40 Environment-variable access.
repo/backend/open_webui/config.py:2202
FOLLOW_UP_GENERATION_PROMPT_TEMPLATE = os.getenv('FOLLOW_UP_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30b23231dbe95277 Environment-variable access.
repo/backend/open_webui/config.py:2220
ENABLE_FOLLOW_UP_GENERATION = os.getenv('ENABLE_FOLLOW_UP_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #214954934ab953ac Environment-variable access.
repo/backend/open_webui/config.py:2222
ENABLE_TAGS_GENERATION = os.getenv('ENABLE_TAGS_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39930726782b84cf Environment-variable access.
repo/backend/open_webui/config.py:2224
ENABLE_TITLE_GENERATION = os.getenv('ENABLE_TITLE_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #822877ba9e262538 Environment-variable access.
repo/backend/open_webui/config.py:2227
ENABLE_SEARCH_QUERY_GENERATION = os.getenv('ENABLE_SEARCH_QUERY_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612d596a3747ccfb Environment-variable access.
repo/backend/open_webui/config.py:2229
ENABLE_RETRIEVAL_QUERY_GENERATION = os.getenv('ENABLE_RETRIEVAL_QUERY_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae42f677e4213e95 Environment-variable access.
repo/backend/open_webui/config.py:2232
QUERY_GENERATION_PROMPT_TEMPLATE = os.getenv('QUERY_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1dddeea9baf5247c Environment-variable access.
repo/backend/open_webui/config.py:2258
ENABLE_AUTOCOMPLETE_GENERATION = os.getenv('ENABLE_AUTOCOMPLETE_GENERATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eada8643af7fd4f2 Environment-variable access.
repo/backend/open_webui/config.py:2260
AUTOCOMPLETE_GENERATION_INPUT_MAX_LENGTH = int(os.getenv('AUTOCOMPLETE_GENERATION_INPUT_MAX_LENGTH', '-1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e66f8bd9561f73a6 Environment-variable access.
repo/backend/open_webui/config.py:2262
AUTOCOMPLETE_GENERATION_PROMPT_TEMPLATE = os.getenv('AUTOCOMPLETE_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e779b041f9b6276 Environment-variable access.
repo/backend/open_webui/config.py:2308
VOICE_MODE_PROMPT_TEMPLATE = os.getenv('VOICE_MODE_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e006ac3fe34e66e7 Environment-variable access.
repo/backend/open_webui/config.py:2310
ENABLE_VOICE_MODE_PROMPT = os.getenv('ENABLE_VOICE_MODE_PROMPT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3235ecd23596ccb Environment-variable access.
repo/backend/open_webui/config.py:2337
TOOLS_FUNCTION_CALLING_PROMPT_TEMPLATE = os.getenv('TOOLS_FUNCTION_CALLING_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed8dbe716eea6263 Environment-variable access.
repo/backend/open_webui/config.py:2379
ENABLE_API_KEYS = os.getenv('ENABLE_API_KEYS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5874f17025cf2f0f Environment-variable access.
repo/backend/open_webui/config.py:2382
    os.getenv(
        'ENABLE_API_KEYS_ENDPOINT_RESTRICTIONS',
        os.getenv('ENABLE_API_KEY_ENDPOINT_RESTRICTIONS', 'False'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f62bfb1ab2c35c88 Environment-variable access.
repo/backend/open_webui/config.py:2384
        os.getenv('ENABLE_API_KEY_ENDPOINT_RESTRICTIONS', 'False'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bcae51355e8fd6c Environment-variable access.
repo/backend/open_webui/config.py:2389
API_KEYS_ALLOWED_ENDPOINTS = os.getenv('API_KEYS_ALLOWED_ENDPOINTS', os.getenv('API_KEY_ALLOWED_ENDPOINTS', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64725585cd327f58 Environment-variable access.
repo/backend/open_webui/config.py:2391
JWT_EXPIRES_IN = os.getenv('JWT_EXPIRES_IN', '4w')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5d65ecc1a3e3c54 Environment-variable access.
repo/backend/open_webui/config.py:2403
ENABLE_OAUTH_SIGNUP = os.getenv('ENABLE_OAUTH_SIGNUP', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae38910cbd8776ec Environment-variable access.
repo/backend/open_webui/config.py:2405
OAUTH_AUTO_REDIRECT = os.getenv('OAUTH_AUTO_REDIRECT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f4471f5cc9543ec Environment-variable access.
repo/backend/open_webui/config.py:2407
OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE = os.getenv('OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f65ba994a5c3941c Environment-variable access.
repo/backend/open_webui/config.py:2410
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = os.getenv('OAUTH_MERGE_ACCOUNTS_BY_EMAIL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42cebe404adf3539 Environment-variable access.
repo/backend/open_webui/config.py:2414
GOOGLE_CLIENT_ID = os.getenv('GOOGLE_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d225f55be59b401 Environment-variable access.
repo/backend/open_webui/config.py:2416
GOOGLE_CLIENT_SECRET = os.getenv('GOOGLE_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #298c869c4684db27 Environment-variable access.
repo/backend/open_webui/config.py:2419
GOOGLE_OAUTH_SCOPE = os.getenv('GOOGLE_OAUTH_SCOPE', 'openid email profile')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21f3f9eb2cf58ec6 Environment-variable access.
repo/backend/open_webui/config.py:2421
GOOGLE_REDIRECT_URI = os.getenv('GOOGLE_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #921d9d89199cef14 Environment-variable access.
repo/backend/open_webui/config.py:2424
_google_oauth_authorize_params = os.getenv('GOOGLE_OAUTH_AUTHORIZE_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f34a70f1bce96d5f Environment-variable access.
repo/backend/open_webui/config.py:2435
MICROSOFT_CLIENT_ID = os.getenv('MICROSOFT_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f3165724889af63 Environment-variable access.
repo/backend/open_webui/config.py:2437
MICROSOFT_CLIENT_SECRET = os.getenv('MICROSOFT_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a935165442ccd5e6 Environment-variable access.
repo/backend/open_webui/config.py:2439
MICROSOFT_CLIENT_TENANT_ID = os.getenv('MICROSOFT_CLIENT_TENANT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6175305ea8ee52fc Environment-variable access.
repo/backend/open_webui/config.py:2441
MICROSOFT_CLIENT_LOGIN_BASE_URL = os.getenv('MICROSOFT_CLIENT_LOGIN_BASE_URL', 'https://login.microsoftonline.com')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01480203158bdbb1 Environment-variable access.
repo/backend/open_webui/config.py:2443
MICROSOFT_CLIENT_PICTURE_URL = os.getenv(
    'MICROSOFT_CLIENT_PICTURE_URL',
    'https://graph.microsoft.com/v1.0/me/photo/$value',
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #038a0d21527e6e9a Environment-variable access.
repo/backend/open_webui/config.py:2449
MICROSOFT_OAUTH_SCOPE = os.getenv('MICROSOFT_OAUTH_SCOPE', 'openid email profile')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bba2cf030d6c5e5 Environment-variable access.
repo/backend/open_webui/config.py:2451
MICROSOFT_REDIRECT_URI = os.getenv('MICROSOFT_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95446fbe6e23376e Environment-variable access.
repo/backend/open_webui/config.py:2453
GITHUB_CLIENT_ID = os.getenv('GITHUB_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32074a13dd477d37 Environment-variable access.
repo/backend/open_webui/config.py:2455
GITHUB_CLIENT_SECRET = os.getenv('GITHUB_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e7de1973f0b63f4 Environment-variable access.
repo/backend/open_webui/config.py:2457
GITHUB_CLIENT_SCOPE = os.getenv('GITHUB_CLIENT_SCOPE', 'user:email')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fabe975a7905a145 Environment-variable access.
repo/backend/open_webui/config.py:2459
GITHUB_CLIENT_REDIRECT_URI = os.getenv('GITHUB_CLIENT_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78655a7c9ac36805 Environment-variable access.
repo/backend/open_webui/config.py:2461
OAUTH_CLIENT_ID = os.getenv('OAUTH_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f5e848f22ab3b0d Environment-variable access.
repo/backend/open_webui/config.py:2463
OAUTH_CLIENT_SECRET = os.getenv('OAUTH_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b16ea5bfd123728 Environment-variable access.
repo/backend/open_webui/config.py:2465
OPENID_PROVIDER_URL = os.getenv('OPENID_PROVIDER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfc72862199dc7c0 Environment-variable access.
repo/backend/open_webui/config.py:2467
OPENID_END_SESSION_ENDPOINT = os.getenv('OPENID_END_SESSION_ENDPOINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5972d32c06d8e7cc Environment-variable access.
repo/backend/open_webui/config.py:2469
OPENID_REDIRECT_URI = os.getenv('OPENID_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60af1389626a41d9 Environment-variable access.
repo/backend/open_webui/config.py:2471
OAUTH_SCOPES = os.getenv('OAUTH_SCOPES', 'openid email profile')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #359f11b227027cef Environment-variable access.
repo/backend/open_webui/config.py:2473
OAUTH_TIMEOUT = os.getenv('OAUTH_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a97df6dfc58303a Environment-variable access.
repo/backend/open_webui/config.py:2475
OAUTH_TOKEN_ENDPOINT_AUTH_METHOD = os.getenv('OAUTH_TOKEN_ENDPOINT_AUTH_METHOD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bdc09c989b46a32 Environment-variable access.
repo/backend/open_webui/config.py:2477
OAUTH_CODE_CHALLENGE_METHOD = os.getenv('OAUTH_CODE_CHALLENGE_METHOD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2620fb2533531210 Environment-variable access.
repo/backend/open_webui/config.py:2479
OAUTH_PROVIDER_NAME = os.getenv('OAUTH_PROVIDER_NAME', 'SSO')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e3362928f8ee407 Environment-variable access.
repo/backend/open_webui/config.py:2481
OAUTH_SUB_CLAIM = os.getenv('OAUTH_SUB_CLAIM', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #003bdaa70c327cf3 Environment-variable access.
repo/backend/open_webui/config.py:2483
OAUTH_USERNAME_CLAIM = os.getenv('OAUTH_USERNAME_CLAIM', 'name')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6962594f91518fe9 Environment-variable access.
repo/backend/open_webui/config.py:2486
OAUTH_PICTURE_CLAIM = os.getenv('OAUTH_PICTURE_CLAIM', 'picture')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb6c0eabfecba775 Environment-variable access.
repo/backend/open_webui/config.py:2488
OAUTH_EMAIL_CLAIM = os.getenv('OAUTH_EMAIL_CLAIM', 'email')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b105ff50bdeba88f Environment-variable access.
repo/backend/open_webui/config.py:2490
OAUTH_GROUPS_CLAIM = os.getenv('OAUTH_GROUPS_CLAIM', os.getenv('OAUTH_GROUP_CLAIM', 'groups'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4587bd99dbb47ca5 Environment-variable access.
repo/backend/open_webui/config.py:2492
FEISHU_CLIENT_ID = os.getenv('FEISHU_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f40025ea3c275fda Environment-variable access.
repo/backend/open_webui/config.py:2494
FEISHU_CLIENT_SECRET = os.getenv('FEISHU_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73499f30aef79b44 Environment-variable access.
repo/backend/open_webui/config.py:2496
FEISHU_OAUTH_SCOPE = os.getenv('FEISHU_OAUTH_SCOPE', 'contact:user.base:readonly')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29f9ac47002a6ca6 Environment-variable access.
repo/backend/open_webui/config.py:2498
FEISHU_REDIRECT_URI = os.getenv('FEISHU_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73806f25e8ae9103 Environment-variable access.
repo/backend/open_webui/config.py:2500
ENABLE_OAUTH_ROLE_MANAGEMENT = os.getenv('ENABLE_OAUTH_ROLE_MANAGEMENT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c0b2531c9d9f5ea Environment-variable access.
repo/backend/open_webui/config.py:2502
ENABLE_OAUTH_GROUP_MANAGEMENT = os.getenv('ENABLE_OAUTH_GROUP_MANAGEMENT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3714275d36eb49c0 Environment-variable access.
repo/backend/open_webui/config.py:2504
ENABLE_OAUTH_GROUP_CREATION = os.getenv('ENABLE_OAUTH_GROUP_CREATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cacf9a2430bdb7a9 Environment-variable access.
repo/backend/open_webui/config.py:2507
oauth_group_default_share = os.getenv('OAUTH_GROUP_DEFAULT_SHARE', 'true').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8618768333eafc18 Environment-variable access.
repo/backend/open_webui/config.py:2511
OAUTH_BLOCKED_GROUPS = os.getenv('OAUTH_BLOCKED_GROUPS', '[]')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53f48def46d42265 Environment-variable access.
repo/backend/open_webui/config.py:2513
OAUTH_GROUPS_SEPARATOR = os.getenv('OAUTH_GROUPS_SEPARATOR', ';')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c289ff29d10f1ea7 Environment-variable access.
repo/backend/open_webui/config.py:2515
OAUTH_ROLES_CLAIM = os.getenv('OAUTH_ROLES_CLAIM', 'roles')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e6eae4d70672d7e Environment-variable access.
repo/backend/open_webui/config.py:2517
OAUTH_ROLES_SEPARATOR = os.getenv('OAUTH_ROLES_SEPARATOR', ',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131dd4d9ed47b6e8 Environment-variable access.
repo/backend/open_webui/config.py:2521
    for role in os.getenv('OAUTH_ALLOWED_ROLES', f'user{OAUTH_ROLES_SEPARATOR}admin').split(OAUTH_ROLES_SEPARATOR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5bcc798d11438907 Environment-variable access.
repo/backend/open_webui/config.py:2526
    role.strip() for role in os.getenv('OAUTH_ADMIN_ROLES', 'admin').split(OAUTH_ROLES_SEPARATOR) if role

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca8c27c523c3114c Environment-variable access.
repo/backend/open_webui/config.py:2529
OAUTH_ALLOWED_DOMAINS = [domain.strip() for domain in os.getenv('OAUTH_ALLOWED_DOMAINS', '*').split(',')]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26bb2d8eb0344fda Environment-variable access.
repo/backend/open_webui/config.py:2531
OAUTH_UPDATE_PICTURE_ON_LOGIN = os.getenv('OAUTH_UPDATE_PICTURE_ON_LOGIN', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d98a2960c2e70886 Environment-variable access.
repo/backend/open_webui/config.py:2533
OAUTH_UPDATE_NAME_ON_LOGIN = os.getenv('OAUTH_UPDATE_NAME_ON_LOGIN', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86b05b596d2f2a0f Environment-variable access.
repo/backend/open_webui/config.py:2535
OAUTH_UPDATE_EMAIL_ON_LOGIN = os.getenv('OAUTH_UPDATE_EMAIL_ON_LOGIN', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f690c3671fe94e7 Environment-variable access.
repo/backend/open_webui/config.py:2538
    os.getenv('OAUTH_ACCESS_TOKEN_REQUEST_INCLUDE_CLIENT_ID', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92f65d7714a4bdd8 Environment-variable access.
repo/backend/open_webui/config.py:2541
OAUTH_AUDIENCE = os.getenv('OAUTH_AUDIENCE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c2199e7cd825cca Environment-variable access.
repo/backend/open_webui/config.py:2544
_oauth_authorize_params = os.getenv('OAUTH_AUTHORIZE_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #491e1dee517e481a Environment-variable access.
repo/backend/open_webui/config.py:2711
ENABLE_LDAP = os.getenv('ENABLE_LDAP', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb77e6c9c964be1b Environment-variable access.
repo/backend/open_webui/config.py:2713
LDAP_SERVER_LABEL = os.getenv('LDAP_SERVER_LABEL', 'LDAP Server')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9abec0f91317f406 Environment-variable access.
repo/backend/open_webui/config.py:2715
LDAP_SERVER_HOST = os.getenv('LDAP_SERVER_HOST', 'localhost')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ec55d072ec49659 Environment-variable access.
repo/backend/open_webui/config.py:2717
LDAP_SERVER_PORT = int(os.getenv('LDAP_SERVER_PORT', '389'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d43aa7eb68ad869 Environment-variable access.
repo/backend/open_webui/config.py:2719
LDAP_ATTRIBUTE_FOR_MAIL = os.getenv('LDAP_ATTRIBUTE_FOR_MAIL', 'mail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aea6e798e74cae54 Environment-variable access.
repo/backend/open_webui/config.py:2721
LDAP_ATTRIBUTE_FOR_USERNAME = os.getenv('LDAP_ATTRIBUTE_FOR_USERNAME', 'uid')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1d5a757ff91ba94 Environment-variable access.
repo/backend/open_webui/config.py:2723
LDAP_APP_DN = os.getenv('LDAP_APP_DN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cc099b54c7ee0e8 Environment-variable access.
repo/backend/open_webui/config.py:2725
LDAP_APP_PASSWORD = os.getenv('LDAP_APP_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b880771a18f116b4 Environment-variable access.
repo/backend/open_webui/config.py:2727
LDAP_SEARCH_BASE = os.getenv('LDAP_SEARCH_BASE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d94b068c14c0c18 Environment-variable access.
repo/backend/open_webui/config.py:2729
LDAP_SEARCH_FILTERS = os.getenv('LDAP_SEARCH_FILTER', os.getenv('LDAP_SEARCH_FILTERS', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e25430b7dadf7d4d Environment-variable access.
repo/backend/open_webui/config.py:2731
LDAP_USE_TLS = os.getenv('LDAP_USE_TLS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aba158000f2a6f56 Environment-variable access.
repo/backend/open_webui/config.py:2733
LDAP_CA_CERT_FILE = os.getenv('LDAP_CA_CERT_FILE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16c09dfd0bdd5366 Environment-variable access.
repo/backend/open_webui/config.py:2735
LDAP_VALIDATE_CERT = os.getenv('LDAP_VALIDATE_CERT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6302587198b7f622 Environment-variable access.
repo/backend/open_webui/config.py:2737
LDAP_CIPHERS = os.getenv('LDAP_CIPHERS', 'ALL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5efedb5f2bc459aa Environment-variable access.
repo/backend/open_webui/config.py:2739
ENABLE_LDAP_GROUP_MANAGEMENT = os.getenv('ENABLE_LDAP_GROUP_MANAGEMENT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bb495972fc090e8 Environment-variable access.
repo/backend/open_webui/config.py:2741
ENABLE_LDAP_GROUP_CREATION = os.getenv('ENABLE_LDAP_GROUP_CREATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3eb46fed32dc68a Environment-variable access.
repo/backend/open_webui/config.py:2743
LDAP_ATTRIBUTE_FOR_GROUPS = os.getenv('LDAP_ATTRIBUTE_FOR_GROUPS', 'memberOf')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75c34922c81eb8a3 Environment-variable access.
repo/backend/open_webui/config.py:3129
ENABLE_PERSISTENT_CONFIG = os.getenv('ENABLE_PERSISTENT_CONFIG', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #581871f96d99fe12 Environment-variable access.
repo/backend/open_webui/config.py:3130
ENABLE_OAUTH_PERSISTENT_CONFIG = os.getenv('ENABLE_OAUTH_PERSISTENT_CONFIG', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef637b9fafc497e6 Environment-variable access.
repo/backend/open_webui/env.py:42
DOCKER = os.getenv('DOCKER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40698055b8ba314d Environment-variable access.
repo/backend/open_webui/env.py:44
USE_CUDA = os.getenv('USE_CUDA_DOCKER', 'false')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59b48718ee23dfc9 Environment-variable access.
repo/backend/open_webui/env.py:57
        os.environ['USE_CUDA_DOCKER'] = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a619280d09a0398 Environment-variable access.
repo/backend/open_webui/env.py:104
LOG_FORMAT = os.getenv('LOG_FORMAT', '').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e5d4ef7f5245d25 Environment-variable access.
repo/backend/open_webui/env.py:106
GLOBAL_LOG_LEVEL = os.getenv('GLOBAL_LOG_LEVEL', '').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b90df6067dbdfa44 Environment-variable access.
repo/backend/open_webui/env.py:132
ENV = os.getenv('ENV', 'dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1706433de766660d Environment-variable access.
repo/backend/open_webui/env.py:134
FROM_INIT_PY = os.getenv('FROM_INIT_PY', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46d915d71469ad95 Filesystem access.
repo/backend/open_webui/env.py:140
        PACKAGE_DATA = json.loads((BASE_DIR / 'package.json').read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #332736751ff247c2 Environment-variable access.
repo/backend/open_webui/env.py:147
DEPLOYMENT_ID = os.getenv('DEPLOYMENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d0ab0fb682797f9 Environment-variable access.
repo/backend/open_webui/env.py:148
INSTANCE_ID = os.getenv('INSTANCE_ID', str(uuid4()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79dff99b47e6c299 Environment-variable access.
repo/backend/open_webui/env.py:150
ENABLE_DB_MIGRATIONS = os.getenv('ENABLE_DB_MIGRATIONS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #884aa204d4a79bf7 Filesystem access.
repo/backend/open_webui/env.py:174
    with open(str(changelog_path.absolute()), encoding='utf8') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #763c1e1b4b16555b Environment-variable access.
repo/backend/open_webui/env.py:216
DATA_DIR = Path(os.getenv('DATA_DIR', BACKEND_DIR / 'data')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fcbc8660f7ce101e Environment-variable access.
repo/backend/open_webui/env.py:219
    NEW_DATA_DIR = Path(os.getenv('DATA_DIR', OPEN_WEBUI_DIR / 'data')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #651aadd319171814 Environment-variable access.
repo/backend/open_webui/env.py:238
    DATA_DIR = Path(os.getenv('DATA_DIR', OPEN_WEBUI_DIR / 'data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08231be3bc936f11 Environment-variable access.
repo/backend/open_webui/env.py:240
STATIC_DIR = Path(os.getenv('STATIC_DIR', OPEN_WEBUI_DIR / 'static'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #900768440a01c5a0 Environment-variable access.
repo/backend/open_webui/env.py:242
FONTS_DIR = Path(os.getenv('FONTS_DIR', OPEN_WEBUI_DIR / 'static' / 'fonts'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a50d6bfdf079684 Environment-variable access.
repo/backend/open_webui/env.py:244
FRONTEND_BUILD_DIR = Path(os.getenv('FRONTEND_BUILD_DIR', BASE_DIR / 'build')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7874d8cbae401476 Environment-variable access.
repo/backend/open_webui/env.py:247
    FRONTEND_BUILD_DIR = Path(os.getenv('FRONTEND_BUILD_DIR', OPEN_WEBUI_DIR / 'frontend')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03886a22a7a13d9a Environment-variable access.
repo/backend/open_webui/env.py:261
DATABASE_URL = os.getenv('DATABASE_URL', f'sqlite:///{DATA_DIR}/webui.db')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b64420fdbbd0e38 Environment-variable access.
repo/backend/open_webui/env.py:263
DATABASE_TYPE = os.getenv('DATABASE_TYPE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96f59cbedecae8be Environment-variable access.
repo/backend/open_webui/env.py:264
DATABASE_USER = os.getenv('DATABASE_USER')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84045cf015ff0f20 Environment-variable access.
repo/backend/open_webui/env.py:265
DATABASE_PASSWORD = os.getenv('DATABASE_PASSWORD')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00d3e35388b628cc Environment-variable access.
repo/backend/open_webui/env.py:276
    'db_host': os.getenv('DATABASE_HOST'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9856a464121f9c8f Environment-variable access.
repo/backend/open_webui/env.py:277
    'db_port': os.getenv('DATABASE_PORT'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596bd0351c189b9a Environment-variable access.
repo/backend/open_webui/env.py:278
    'db_name': os.getenv('DATABASE_NAME'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e9601d261f77b1f Environment-variable access.
repo/backend/open_webui/env.py:285
elif DATABASE_TYPE == 'sqlite+sqlcipher' and not os.getenv('DATABASE_URL'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8fc978e34a9a577 Environment-variable access.
repo/backend/open_webui/env.py:293
DATABASE_SCHEMA = os.getenv('DATABASE_SCHEMA', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d38e2a925fe9592 Environment-variable access.
repo/backend/open_webui/env.py:294
DATABASE_ENABLE_IAM_TOKEN_AUTH = os.getenv('DATABASE_ENABLE_IAM_TOKEN_AUTH', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b06c6a4b52d6c3b6 Environment-variable access.
repo/backend/open_webui/env.py:296
_pool_size_raw = os.getenv('DATABASE_POOL_SIZE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c44c1a084f8b0d4a Environment-variable access.
repo/backend/open_webui/env.py:302
_pool_overflow_raw = os.getenv('DATABASE_POOL_MAX_OVERFLOW', '0')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cd2bebeba729970 Environment-variable access.
repo/backend/open_webui/env.py:308
_pool_timeout_raw = os.getenv('DATABASE_POOL_TIMEOUT', '30')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e6092d6b72405e5 Environment-variable access.
repo/backend/open_webui/env.py:314
_pool_recycle_raw = os.getenv('DATABASE_POOL_RECYCLE', '3600')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f936c4bc4cfa48f Environment-variable access.
repo/backend/open_webui/env.py:320
DATABASE_ENABLE_SQLITE_WAL = os.getenv('DATABASE_ENABLE_SQLITE_WAL', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #640a79e45ab1de7f Environment-variable access.
repo/backend/open_webui/env.py:328
DATABASE_SQLITE_PRAGMA_SYNCHRONOUS = os.getenv('DATABASE_SQLITE_PRAGMA_SYNCHRONOUS', 'NORMAL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bb6634009fa9363 Environment-variable access.
repo/backend/open_webui/env.py:332
DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT = os.getenv('DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT', '5000')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f7a1f9dafc3aeea Environment-variable access.
repo/backend/open_webui/env.py:335
DATABASE_SQLITE_PRAGMA_CACHE_SIZE = os.getenv('DATABASE_SQLITE_PRAGMA_CACHE_SIZE', '-65536')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06d9da9b593d5787 Environment-variable access.
repo/backend/open_webui/env.py:339
DATABASE_SQLITE_PRAGMA_TEMP_STORE = os.getenv('DATABASE_SQLITE_PRAGMA_TEMP_STORE', 'MEMORY')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46ce4a67e1ae1e8d Environment-variable access.
repo/backend/open_webui/env.py:343
DATABASE_SQLITE_PRAGMA_MMAP_SIZE = os.getenv('DATABASE_SQLITE_PRAGMA_MMAP_SIZE', '268435456')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b955db639ec26a7e Environment-variable access.
repo/backend/open_webui/env.py:348
DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT = os.getenv('DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT', '67108864')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cac4f51cc3bb5df0 Environment-variable access.
repo/backend/open_webui/env.py:350
DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL = os.getenv('DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5eb0eb8b10cbc6d1 Environment-variable access.
repo/backend/open_webui/env.py:357
DATABASE_ENABLE_SESSION_SHARING = os.getenv('DATABASE_ENABLE_SESSION_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31dfe4d1fab6c20f Environment-variable access.
repo/backend/open_webui/env.py:358
ENABLE_PUBLIC_ACTIVE_USERS_COUNT = os.getenv('ENABLE_PUBLIC_ACTIVE_USERS_COUNT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b73f88b401ae097 Environment-variable access.
repo/backend/open_webui/env.py:359
RESET_CONFIG_ON_START = os.getenv('RESET_CONFIG_ON_START', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bf8391f1f4f124d Environment-variable access.
repo/backend/open_webui/env.py:360
ENABLE_REALTIME_CHAT_SAVE = os.getenv('ENABLE_REALTIME_CHAT_SAVE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43bc0b5ebd5e8259 Environment-variable access.
repo/backend/open_webui/env.py:361
ENABLE_QUERIES_CACHE = os.getenv('ENABLE_QUERIES_CACHE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf9de17ebd673b81 Environment-variable access.
repo/backend/open_webui/env.py:362
RAG_SYSTEM_CONTEXT = os.getenv('RAG_SYSTEM_CONTEXT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c832a16c96832349 Environment-variable access.
repo/backend/open_webui/env.py:368
REDIS_URL = os.getenv('REDIS_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49a58d131f22b5e9 Environment-variable access.
repo/backend/open_webui/env.py:369
REDIS_CLUSTER = os.getenv('REDIS_CLUSTER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46abd33d373db05b Environment-variable access.
repo/backend/open_webui/env.py:371
REDIS_KEY_PREFIX = os.getenv('REDIS_KEY_PREFIX', 'open-webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #845e274895309144 Environment-variable access.
repo/backend/open_webui/env.py:373
REDIS_SENTINEL_HOSTS = os.getenv('REDIS_SENTINEL_HOSTS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c012593857db572 Environment-variable access.
repo/backend/open_webui/env.py:374
REDIS_SENTINEL_PORT = os.getenv('REDIS_SENTINEL_PORT', '26379')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd42d2832ca535d7 Environment-variable access.
repo/backend/open_webui/env.py:377
REDIS_SENTINEL_MAX_RETRY_COUNT = os.getenv('REDIS_SENTINEL_MAX_RETRY_COUNT', '2')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4aa3dd2aec8249fe Environment-variable access.
repo/backend/open_webui/env.py:386
REDIS_SOCKET_CONNECT_TIMEOUT = os.getenv('REDIS_SOCKET_CONNECT_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cdce874add6e7b3f Environment-variable access.
repo/backend/open_webui/env.py:397
REDIS_SOCKET_KEEPALIVE = os.getenv('REDIS_SOCKET_KEEPALIVE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2395b073f1f79cb Environment-variable access.
repo/backend/open_webui/env.py:405
REDIS_HEALTH_CHECK_INTERVAL = os.getenv('REDIS_HEALTH_CHECK_INTERVAL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #377d892013888eb0 Environment-variable access.
repo/backend/open_webui/env.py:413
REDIS_RECONNECT_DELAY = os.getenv('REDIS_RECONNECT_DELAY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71b2798e5cb8c82b Environment-variable access.
repo/backend/open_webui/env.py:430
    UVICORN_WORKERS = max(int(os.getenv('UVICORN_WORKERS', '1')), 1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ea8aefcbacc59bf Environment-variable access.
repo/backend/open_webui/env.py:438
ENABLE_WEBSOCKET_SUPPORT = os.getenv('ENABLE_WEBSOCKET_SUPPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9162dcdb510d956a Environment-variable access.
repo/backend/open_webui/env.py:441
WEBSOCKET_MANAGER = os.getenv('WEBSOCKET_MANAGER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba6e27326d38d169 Environment-variable access.
repo/backend/open_webui/env.py:443
WEBSOCKET_REDIS_OPTIONS = os.getenv('WEBSOCKET_REDIS_OPTIONS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9510754566e4e45 Environment-variable access.
repo/backend/open_webui/env.py:458
WEBSOCKET_REDIS_URL = os.getenv('WEBSOCKET_REDIS_URL', REDIS_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b5a4a7fb746cdc6 Environment-variable access.
repo/backend/open_webui/env.py:459
WEBSOCKET_REDIS_CLUSTER = os.getenv('WEBSOCKET_REDIS_CLUSTER', str(REDIS_CLUSTER)).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57b9802a55dc54be Environment-variable access.
repo/backend/open_webui/env.py:461
websocket_redis_lock_timeout = os.getenv('WEBSOCKET_REDIS_LOCK_TIMEOUT', '60')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2018d32a67ad06c0 Environment-variable access.
repo/backend/open_webui/env.py:468
WEBSOCKET_SENTINEL_HOSTS = os.getenv('WEBSOCKET_SENTINEL_HOSTS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1356a1efc761b6a8 Environment-variable access.
repo/backend/open_webui/env.py:469
WEBSOCKET_SENTINEL_PORT = os.getenv('WEBSOCKET_SENTINEL_PORT', '26379')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af7ab27543249f9f Environment-variable access.
repo/backend/open_webui/env.py:470
WEBSOCKET_SERVER_LOGGING = os.getenv('WEBSOCKET_SERVER_LOGGING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de0dd9741d11fd38 Environment-variable access.
repo/backend/open_webui/env.py:472
    os.getenv(
        'WEBSOCKET_SERVER_ENGINEIO_LOGGING',
        os.getenv('WEBSOCKET_SERVER_LOGGING', 'False'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1d0ccab4655e87f Environment-variable access.
repo/backend/open_webui/env.py:474
        os.getenv('WEBSOCKET_SERVER_LOGGING', 'False'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7974611a6a783a72 Environment-variable access.
repo/backend/open_webui/env.py:478
WEBSOCKET_SERVER_PING_TIMEOUT = os.getenv('WEBSOCKET_SERVER_PING_TIMEOUT', '20')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b467a215f1b50aa Environment-variable access.
repo/backend/open_webui/env.py:484
WEBSOCKET_SERVER_PING_INTERVAL = os.getenv('WEBSOCKET_SERVER_PING_INTERVAL', '25')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #404222d45eeab4b5 Environment-variable access.
repo/backend/open_webui/env.py:490
WEBSOCKET_EVENT_CALLER_TIMEOUT = os.getenv('WEBSOCKET_EVENT_CALLER_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a5d9cdeb4d0e939 Environment-variable access.
repo/backend/open_webui/env.py:512
AIOHTTP_CLIENT_SSL_CERT_FILE = os.getenv('AIOHTTP_CLIENT_SSL_CERT_FILE', '').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8810eb040c4435db Environment-variable access.
repo/backend/open_webui/env.py:560
REQUESTS_VERIFY = os.getenv('REQUESTS_VERIFY', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #358a0ca787da3866 Environment-variable access.
repo/backend/open_webui/env.py:562
_aiohttp_timeout_raw = os.getenv('AIOHTTP_CLIENT_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5e2f69faef14458 Environment-variable access.
repo/backend/open_webui/env.py:572
AIOHTTP_CLIENT_SESSION_SSL = _parse_ssl_env(os.getenv('AIOHTTP_CLIENT_SESSION_SSL', 'True'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #058f853604c13613 Environment-variable access.
repo/backend/open_webui/env.py:575
AIOHTTP_CLIENT_ALLOW_REDIRECTS = os.getenv('AIOHTTP_CLIENT_ALLOW_REDIRECTS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b56540a9fe960ec Environment-variable access.
repo/backend/open_webui/env.py:580
USER_AGENT = os.getenv('USER_AGENT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6dd2050c6cd3888f Environment-variable access.
repo/backend/open_webui/env.py:582
_model_list_timeout_raw = os.getenv(
    'AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST',
    os.getenv('AIOHTTP_CLIENT_TIMEOUT_OPENAI_MODEL_LIST', '10'),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a923f0563ff65c29 Environment-variable access.
repo/backend/open_webui/env.py:584
    os.getenv('AIOHTTP_CLIENT_TIMEOUT_OPENAI_MODEL_LIST', '10'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #438176c29035beb3 Environment-variable access.
repo/backend/open_webui/env.py:591
_tool_data_timeout_raw = os.getenv('AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA', '10')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2845fc24b913fb54 Environment-variable access.
repo/backend/open_webui/env.py:601
AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL = _parse_ssl_env(os.getenv('AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL', 'True'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61d41b43898a2f06 Environment-variable access.
repo/backend/open_webui/env.py:603
AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER = os.getenv('AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73bf6e4698c49690 Environment-variable access.
repo/backend/open_webui/env.py:616
MCP_INITIALIZE_TIMEOUT = os.getenv('MCP_INITIALIZE_TIMEOUT', '10')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09c4d40618e251f2 Environment-variable access.
repo/backend/open_webui/env.py:627
AIOHTTP_POOL_CONNECTIONS = os.getenv('AIOHTTP_POOL_CONNECTIONS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfe3bb9867fb3520 Environment-variable access.
repo/backend/open_webui/env.py:636
AIOHTTP_POOL_CONNECTIONS_PER_HOST = os.getenv('AIOHTTP_POOL_CONNECTIONS_PER_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e779cf06613c142 Environment-variable access.
repo/backend/open_webui/env.py:645
AIOHTTP_POOL_DNS_TTL = os.getenv('AIOHTTP_POOL_DNS_TTL', '300')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bffa69c0fdb803e Environment-variable access.
repo/backend/open_webui/env.py:653
RAG_EMBEDDING_TIMEOUT = os.getenv('RAG_EMBEDDING_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9dcdc2abe857b68 Environment-variable access.
repo/backend/open_webui/env.py:668
WEBUI_AUTH = os.getenv('WEBUI_AUTH', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42edbcd93b7d2925 Environment-variable access.
repo/backend/open_webui/env.py:670
ENABLE_INITIAL_ADMIN_SIGNUP = os.getenv('ENABLE_INITIAL_ADMIN_SIGNUP', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc4cc9f9a426591d Environment-variable access.
repo/backend/open_webui/env.py:671
ENABLE_SIGNUP_PASSWORD_CONFIRMATION = os.getenv('ENABLE_SIGNUP_PASSWORD_CONFIRMATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #855401f73242cd81 Environment-variable access.
repo/backend/open_webui/env.py:679
WEBUI_SECRET_KEY = os.getenv(
    'WEBUI_SECRET_KEY',
    os.getenv('WEBUI_JWT_SECRET_KEY', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c42f448e9e1fa08 Environment-variable access.
repo/backend/open_webui/env.py:681
    os.getenv('WEBUI_JWT_SECRET_KEY', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3f738e6504a0275 Environment-variable access.
repo/backend/open_webui/env.py:684
ENABLE_VALVE_ENCRYPTION = os.getenv('ENABLE_VALVE_ENCRYPTION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90a73fb8dae75b2a Environment-variable access.
repo/backend/open_webui/env.py:686
WEBUI_SESSION_COOKIE_SAME_SITE = os.getenv('WEBUI_SESSION_COOKIE_SAME_SITE', 'lax')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27b28833bbf845c9 Environment-variable access.
repo/backend/open_webui/env.py:687
WEBUI_SESSION_COOKIE_SECURE = os.getenv('WEBUI_SESSION_COOKIE_SECURE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d33bdcdc2f149bc Environment-variable access.
repo/backend/open_webui/env.py:688
WEBUI_AUTH_COOKIE_SAME_SITE = os.getenv('WEBUI_AUTH_COOKIE_SAME_SITE', WEBUI_SESSION_COOKIE_SAME_SITE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b90dcc7c724c3bba Environment-variable access.
repo/backend/open_webui/env.py:690
    os.getenv(
        'WEBUI_AUTH_COOKIE_SECURE',
        os.getenv('WEBUI_SESSION_COOKIE_SECURE', 'false'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a96546cc9dd6347a Environment-variable access.
repo/backend/open_webui/env.py:692
        os.getenv('WEBUI_SESSION_COOKIE_SECURE', 'false'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07d5d4d6157453c5 Environment-variable access.
repo/backend/open_webui/env.py:707
ENABLE_COMPRESSION_MIDDLEWARE = os.getenv('ENABLE_COMPRESSION_MIDDLEWARE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ef81072a4474cac Environment-variable access.
repo/backend/open_webui/env.py:715
WEBUI_ADMIN_EMAIL = os.getenv('WEBUI_ADMIN_EMAIL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b9da6d6b152322f Environment-variable access.
repo/backend/open_webui/env.py:716
WEBUI_ADMIN_PASSWORD = os.getenv('WEBUI_ADMIN_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeaa5a0e2210660e Environment-variable access.
repo/backend/open_webui/env.py:717
WEBUI_ADMIN_NAME = os.getenv('WEBUI_ADMIN_NAME', 'Admin')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b72923fc12b8fce1 Environment-variable access.
repo/backend/open_webui/env.py:719
WEBUI_AUTH_TRUSTED_EMAIL_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_EMAIL_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c319396baddaa025 Environment-variable access.
repo/backend/open_webui/env.py:720
WEBUI_AUTH_TRUSTED_NAME_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_NAME_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #305f9aa4922074f9 Environment-variable access.
repo/backend/open_webui/env.py:721
WEBUI_AUTH_TRUSTED_GROUPS_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_GROUPS_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b62acdbeb95ac27e Environment-variable access.
repo/backend/open_webui/env.py:722
WEBUI_AUTH_TRUSTED_ROLE_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_ROLE_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2288b78c59cc66a7 Environment-variable access.
repo/backend/open_webui/env.py:729
CUSTOM_API_KEY_HEADER = os.getenv('CUSTOM_API_KEY_HEADER', 'x-api-key')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c64b2fb5fcde8cc Environment-variable access.
repo/backend/open_webui/env.py:731
ENABLE_PASSWORD_VALIDATION = os.getenv('ENABLE_PASSWORD_VALIDATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #512eaf537408c762 Environment-variable access.
repo/backend/open_webui/env.py:732
PASSWORD_HASH_ALGORITHM = os.getenv('PASSWORD_HASH_ALGORITHM', 'bcrypt').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6b25039ac64c8c8 Environment-variable access.
repo/backend/open_webui/env.py:733
PASSWORD_VALIDATION_REGEX_PATTERN = os.getenv(
    'PASSWORD_VALIDATION_REGEX_PATTERN',
    r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$',
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf7a22d2253aef49 Environment-variable access.
repo/backend/open_webui/env.py:746
PASSWORD_VALIDATION_HINT = os.getenv('PASSWORD_VALIDATION_HINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea91a0bf4596584e Environment-variable access.
repo/backend/open_webui/env.py:749
BYPASS_MODEL_ACCESS_CONTROL = os.getenv('BYPASS_MODEL_ACCESS_CONTROL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64d185ff6b1f8e7a Environment-variable access.
repo/backend/open_webui/env.py:750
BYPASS_RETRIEVAL_ACCESS_CONTROL = os.getenv('BYPASS_RETRIEVAL_ACCESS_CONTROL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa4d93c2afdd7464 Environment-variable access.
repo/backend/open_webui/env.py:756
ENABLE_RETRIEVAL_UNSCOPED_COLLECTIONS = os.getenv('ENABLE_RETRIEVAL_UNSCOPED_COLLECTIONS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0a93e228640a703 Environment-variable access.
repo/backend/open_webui/env.py:758
    int(os.getenv('MINERU_MAX_MARKDOWN_BYTES')) if os.getenv('MINERU_MAX_MARKDOWN_BYTES') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79ed89fc29a5dc14 Environment-variable access.
repo/backend/open_webui/env.py:764
BYPASS_PYDUB_PREPROCESSING = os.getenv('BYPASS_PYDUB_PREPROCESSING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a2c16b8e152c33b Environment-variable access.
repo/backend/open_webui/env.py:769
ENABLE_OPENAI_API_PASSTHROUGH = os.getenv('ENABLE_OPENAI_API_PASSTHROUGH', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9ba7719968a703c Environment-variable access.
repo/backend/open_webui/env.py:771
WEBUI_AUTH_SIGNOUT_REDIRECT_URL = os.getenv('WEBUI_AUTH_SIGNOUT_REDIRECT_URL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1930b548487f2b42 Environment-variable access.
repo/backend/open_webui/env.py:776
ENABLE_OAUTH_EMAIL_FALLBACK = os.getenv('ENABLE_OAUTH_EMAIL_FALLBACK', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f85b98b79bf237e4 Environment-variable access.
repo/backend/open_webui/env.py:778
ENABLE_OAUTH_ID_TOKEN_COOKIE = os.getenv('ENABLE_OAUTH_ID_TOKEN_COOKIE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a74379d3cf21a36f Environment-variable access.
repo/backend/open_webui/env.py:780
OAUTH_CLIENT_INFO_ENCRYPTION_KEY = os.getenv('OAUTH_CLIENT_INFO_ENCRYPTION_KEY', WEBUI_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a3d54a1eb5bddfd Environment-variable access.
repo/backend/open_webui/env.py:782
OAUTH_SESSION_TOKEN_ENCRYPTION_KEY = os.getenv('OAUTH_SESSION_TOKEN_ENCRYPTION_KEY', WEBUI_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b348623dbf3e191a Environment-variable access.
repo/backend/open_webui/env.py:786
OAUTH_MAX_SESSIONS_PER_USER = int(os.getenv('OAUTH_MAX_SESSIONS_PER_USER', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efb8e8d5fe80a7ba Environment-variable access.
repo/backend/open_webui/env.py:790
ENABLE_OAUTH_TOKEN_EXCHANGE = os.getenv('ENABLE_OAUTH_TOKEN_EXCHANGE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b576b0d52344606 Environment-variable access.
repo/backend/open_webui/env.py:796
ENABLE_OAUTH_BACKCHANNEL_LOGOUT = os.getenv('ENABLE_OAUTH_BACKCHANNEL_LOGOUT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d83205988cf55ee Environment-variable access.
repo/backend/open_webui/env.py:802
ENABLE_SCIM = os.getenv('ENABLE_SCIM', os.getenv('SCIM_ENABLED', 'False')).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #108066ce4560ba46 Environment-variable access.
repo/backend/open_webui/env.py:803
SCIM_TOKEN = os.getenv('SCIM_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16e1da2f74ec1b7e Environment-variable access.
repo/backend/open_webui/env.py:804
SCIM_AUTH_PROVIDER = os.getenv('SCIM_AUTH_PROVIDER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff7c9176f32a7362 Environment-variable access.
repo/backend/open_webui/env.py:817
LICENSE_KEY = os.getenv('LICENSE_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ef8eefc9cebd226 Environment-variable access.
repo/backend/open_webui/env.py:820
LICENSE_BLOB_PATH = os.getenv('LICENSE_BLOB_PATH', DATA_DIR / 'l.data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbc2e125223b2f53 Filesystem access.
repo/backend/open_webui/env.py:822
    with open(LICENSE_BLOB_PATH, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f9ada9f53b876b Environment-variable access.
repo/backend/open_webui/env.py:825
LICENSE_PUBLIC_KEY = os.getenv('LICENSE_PUBLIC_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d4d78b0933a54e5 Environment-variable access.
repo/backend/open_webui/env.py:842
WEBUI_NAME = os.getenv('WEBUI_NAME', 'Open WebUI')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4cd5a5d6e6fcf78 Environment-variable access.
repo/backend/open_webui/env.py:847
WEBUI_BUILD_HASH = os.getenv('WEBUI_BUILD_HASH', 'dev-build')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6f511e67b2365f1 Environment-variable access.
repo/backend/open_webui/env.py:848
TRUSTED_SIGNATURE_KEY = os.getenv('TRUSTED_SIGNATURE_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f477e199630b12a Environment-variable access.
repo/backend/open_webui/env.py:854
SAFE_MODE = os.getenv('SAFE_MODE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbc091b9f003d3ea Environment-variable access.
repo/backend/open_webui/env.py:855
ENABLE_EASTER_EGGS = os.getenv('ENABLE_EASTER_EGGS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cae92da31858a18 Environment-variable access.
repo/backend/open_webui/env.py:856
ENABLE_STAR_SESSIONS_MIDDLEWARE = os.getenv('ENABLE_STAR_SESSIONS_MIDDLEWARE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #588ad7e684e3cd65 Environment-variable access.
repo/backend/open_webui/env.py:857
ENABLE_KB_EXEC = os.getenv('ENABLE_KB_EXEC', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #438a620e34cf1d6f Environment-variable access.
repo/backend/open_webui/env.py:859
ENABLE_PROFILE_IMAGE_URL_FORWARDING = os.getenv('ENABLE_PROFILE_IMAGE_URL_FORWARDING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bca672ec1d57784c Environment-variable access.
repo/backend/open_webui/env.py:862
    for t in os.getenv(
        'PROFILE_IMAGE_ALLOWED_MIME_TYPES',
        'image/png,image/jpeg,image/gif,image/webp',
    ).split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fe1b3b6c1574b3f Environment-variable access.
repo/backend/open_webui/env.py:871
_profile_image_max_data_uri_size = os.getenv('PROFILE_IMAGE_MAX_DATA_URI_SIZE', '').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64691c4f5635e13e Environment-variable access.
repo/backend/open_webui/env.py:878
ENABLE_FORWARD_USER_INFO_HEADERS = os.getenv('ENABLE_FORWARD_USER_INFO_HEADERS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5194171e1b3da6a Environment-variable access.
repo/backend/open_webui/env.py:880
FORWARD_USER_INFO_HEADER_USER_NAME = os.getenv('FORWARD_USER_INFO_HEADER_USER_NAME', 'X-OpenWebUI-User-Name')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21253d4b7d14b565 Environment-variable access.
repo/backend/open_webui/env.py:881
FORWARD_USER_INFO_HEADER_USER_ID = os.getenv('FORWARD_USER_INFO_HEADER_USER_ID', 'X-OpenWebUI-User-Id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa8a4059d61a9cdb Environment-variable access.
repo/backend/open_webui/env.py:882
FORWARD_USER_INFO_HEADER_USER_EMAIL = os.getenv('FORWARD_USER_INFO_HEADER_USER_EMAIL', 'X-OpenWebUI-User-Email')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18678605942e737a Environment-variable access.
repo/backend/open_webui/env.py:883
FORWARD_USER_INFO_HEADER_USER_ROLE = os.getenv('FORWARD_USER_INFO_HEADER_USER_ROLE', 'X-OpenWebUI-User-Role')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1648147426e5df13 Environment-variable access.
repo/backend/open_webui/env.py:884
FORWARD_SESSION_INFO_HEADER_MESSAGE_ID = os.getenv('FORWARD_SESSION_INFO_HEADER_MESSAGE_ID', 'X-OpenWebUI-Message-Id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bae8a989d181645 Environment-variable access.
repo/backend/open_webui/env.py:885
FORWARD_SESSION_INFO_HEADER_CHAT_ID = os.getenv('FORWARD_SESSION_INFO_HEADER_CHAT_ID', 'X-OpenWebUI-Chat-Id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e066959508e5c460 Environment-variable access.
repo/backend/open_webui/env.py:889
FORWARD_USER_INFO_HEADER_JWT_SECRET = (os.environ.get('FORWARD_USER_INFO_HEADER_JWT_SECRET') or '').strip() or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d889c13406c276e1 Environment-variable access.
repo/backend/open_webui/env.py:890
FORWARD_USER_INFO_HEADER_JWT = os.environ.get('FORWARD_USER_INFO_HEADER_JWT', 'X-OpenWebUI-User-Jwt')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d64d8a8080f63aa Environment-variable access.
repo/backend/open_webui/env.py:893
        os.environ.get('FORWARD_USER_INFO_HEADER_JWT_EXPIRES_SECONDS', '300')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19ffd0f774d9adf3 Environment-variable access.
repo/backend/open_webui/env.py:902
EXTERNAL_PWA_MANIFEST_URL = os.getenv('EXTERNAL_PWA_MANIFEST_URL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b057f164743c654 Environment-variable access.
repo/backend/open_webui/env.py:910
_default_group_share = os.getenv('DEFAULT_GROUP_SHARE_PERMISSION', 'members').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #deaba3613d4fc9b1 Environment-variable access.
repo/backend/open_webui/env.py:917
ENABLE_CUSTOM_MODEL_FALLBACK = os.getenv('ENABLE_CUSTOM_MODEL_FALLBACK', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30bef0044cbe9944 Environment-variable access.
repo/backend/open_webui/env.py:919
MODELS_CACHE_TTL = os.getenv('MODELS_CACHE_TTL', '1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51f4d7d193c98724 Environment-variable access.
repo/backend/open_webui/env.py:934
    os.getenv('ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #672de0aa84d15e0d Environment-variable access.
repo/backend/open_webui/env.py:936
ENABLE_API_OUTLET_FILTERS = os.getenv('ENABLE_API_OUTLET_FILTERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a7a39e791562d9d Environment-variable access.
repo/backend/open_webui/env.py:944
    os.getenv('ENABLE_IMAGE_CONTENT_TYPE_EXTENSION_FALLBACK', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12e13ddccbc593a2 Environment-variable access.
repo/backend/open_webui/env.py:947
CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE = os.getenv('CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE', '1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae0eb2b34ee6805b Environment-variable access.
repo/backend/open_webui/env.py:960
CHAT_RESPONSE_MAX_TOOL_CALL_ITERATIONS = os.getenv(
    'CHAT_RESPONSE_MAX_TOOL_CALL_ITERATIONS',
    os.getenv('CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES', '256'),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee18569e0c41e587 Environment-variable access.
repo/backend/open_webui/env.py:962
    os.getenv('CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES', '256'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #946d7f3c4327e11e Environment-variable access.
repo/backend/open_webui/env.py:982
ENABLE_RESPONSES_API_STATEFUL = os.getenv('ENABLE_RESPONSES_API_STATEFUL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb12e8eda6bd7cee Environment-variable access.
repo/backend/open_webui/env.py:985
CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE = os.getenv('CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6dbf3f2eeb2c85a6 Environment-variable access.
repo/backend/open_webui/env.py:1001
SENTENCE_TRANSFORMERS_BACKEND = os.getenv('SENTENCE_TRANSFORMERS_BACKEND', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd8cbbd28c823147 Environment-variable access.
repo/backend/open_webui/env.py:1006
SENTENCE_TRANSFORMERS_MODEL_KWARGS = os.getenv('SENTENCE_TRANSFORMERS_MODEL_KWARGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a901e92b4504a35 Environment-variable access.
repo/backend/open_webui/env.py:1016
SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND = os.getenv('SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eb3c7eac3b59b4a Environment-variable access.
repo/backend/open_webui/env.py:1021
SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS = os.getenv('SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87a31aba1ede0e81 Environment-variable access.
repo/backend/open_webui/env.py:1034
    os.getenv('SENTENCE_TRANSFORMERS_CROSS_ENCODER_SIGMOID_ACTIVATION_FUNCTION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d197bc53e9aff20 Environment-variable access.
repo/backend/open_webui/env.py:1042
    os.getenv('ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04f052856cc1d1ea Environment-variable access.
repo/backend/open_webui/env.py:1045
PIP_OPTIONS = os.getenv('PIP_OPTIONS', '').split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee4751e05ef560c6 Environment-variable access.
repo/backend/open_webui/env.py:1046
PIP_PACKAGE_INDEX_OPTIONS = os.getenv('PIP_PACKAGE_INDEX_OPTIONS', '').split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0486190dfe26b40c Environment-variable access.
repo/backend/open_webui/env.py:1053
ENABLE_VERSION_UPDATE_CHECK = os.getenv('ENABLE_VERSION_UPDATE_CHECK', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd4d10f95c733d8c Environment-variable access.
repo/backend/open_webui/env.py:1054
OFFLINE_MODE = os.getenv('OFFLINE_MODE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44c627d8d9b07752 Environment-variable access.
repo/backend/open_webui/env.py:1057
    os.environ['HF_HUB_OFFLINE'] = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fbe68e3ddb5b5f7 Environment-variable access.
repo/backend/open_webui/env.py:1064
ENABLE_PYODIDE_FILE_PERSISTENCE = os.getenv('ENABLE_PYODIDE_FILE_PERSISTENCE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3569655562c501fe Environment-variable access.
repo/backend/open_webui/env.py:1071
ENABLE_AUDIT_STDOUT = os.getenv('ENABLE_AUDIT_STDOUT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e12925b229ec5076 Environment-variable access.
repo/backend/open_webui/env.py:1072
ENABLE_AUDIT_LOGS_FILE = os.getenv('ENABLE_AUDIT_LOGS_FILE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff97e39697a7257c Environment-variable access.
repo/backend/open_webui/env.py:1077
AUDIT_LOGS_FILE_PATH = os.getenv('AUDIT_LOGS_FILE_PATH', f'{DATA_DIR}/audit.log')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2f2e6ca5902ddc0 Environment-variable access.
repo/backend/open_webui/env.py:1079
AUDIT_LOG_FILE_ROTATION_SIZE = os.getenv('AUDIT_LOG_FILE_ROTATION_SIZE', '10MB')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #781c062300d660cf Environment-variable access.
repo/backend/open_webui/env.py:1084
AUDIT_UVICORN_LOGGER_NAMES = os.getenv('AUDIT_UVICORN_LOGGER_NAMES', 'uvicorn.access').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f44cbb6d0d69aa0 Environment-variable access.
repo/backend/open_webui/env.py:1087
AUDIT_LOG_LEVEL = os.getenv('AUDIT_LOG_LEVEL', 'NONE').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14c78ab49d5f9eed Environment-variable access.
repo/backend/open_webui/env.py:1089
    MAX_BODY_LOG_SIZE = int(os.getenv('MAX_BODY_LOG_SIZE') or 2048)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d36e21117c5e46c Environment-variable access.
repo/backend/open_webui/env.py:1094
AUDIT_EXCLUDED_PATHS = os.getenv('AUDIT_EXCLUDED_PATHS', '/chats,/chat,/folders').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c43ecdabff1f0046 Environment-variable access.
repo/backend/open_webui/env.py:1100
AUDIT_INCLUDED_PATHS = os.getenv('AUDIT_INCLUDED_PATHS', '').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4666953f3472a176 Environment-variable access.
repo/backend/open_webui/env.py:1105
ENABLE_AUDIT_GET_REQUESTS = os.getenv('ENABLE_AUDIT_GET_REQUESTS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16ebf07c968265cb Environment-variable access.
repo/backend/open_webui/env.py:1112
ENABLE_OTEL = os.getenv('ENABLE_OTEL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bc4d0bc78d305c2 Environment-variable access.
repo/backend/open_webui/env.py:1113
ENABLE_OTEL_TRACES = os.getenv('ENABLE_OTEL_TRACES', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db2291b21af98526 Environment-variable access.
repo/backend/open_webui/env.py:1114
ENABLE_OTEL_METRICS = os.getenv('ENABLE_OTEL_METRICS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e47ed30e683fd63e Environment-variable access.
repo/backend/open_webui/env.py:1115
ENABLE_OTEL_LOGS = os.getenv('ENABLE_OTEL_LOGS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65abf716d7b011a9 Environment-variable access.
repo/backend/open_webui/env.py:1117
OTEL_EXPORTER_OTLP_ENDPOINT = os.getenv('OTEL_EXPORTER_OTLP_ENDPOINT', 'http://localhost:4317')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbdaf4a6a939aef5 Environment-variable access.
repo/backend/open_webui/env.py:1118
OTEL_METRICS_EXPORTER_OTLP_ENDPOINT = os.getenv('OTEL_METRICS_EXPORTER_OTLP_ENDPOINT', OTEL_EXPORTER_OTLP_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7a040a229931140 Environment-variable access.
repo/backend/open_webui/env.py:1119
OTEL_LOGS_EXPORTER_OTLP_ENDPOINT = os.getenv('OTEL_LOGS_EXPORTER_OTLP_ENDPOINT', OTEL_EXPORTER_OTLP_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abaf3fadd56e531e Environment-variable access.
repo/backend/open_webui/env.py:1120
OTEL_EXPORTER_OTLP_INSECURE = os.getenv('OTEL_EXPORTER_OTLP_INSECURE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9569e9f3537d9895 Environment-variable access.
repo/backend/open_webui/env.py:1122
    os.getenv('OTEL_METRICS_EXPORTER_OTLP_INSECURE', str(OTEL_EXPORTER_OTLP_INSECURE)).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b59c8c8a78952bf2 Environment-variable access.
repo/backend/open_webui/env.py:1125
    os.getenv('OTEL_LOGS_EXPORTER_OTLP_INSECURE', str(OTEL_EXPORTER_OTLP_INSECURE)).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a85c8b401f37b1e1 Environment-variable access.
repo/backend/open_webui/env.py:1127
OTEL_SERVICE_NAME = os.getenv('OTEL_SERVICE_NAME', 'open-webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02bec92343ec9440 Environment-variable access.
repo/backend/open_webui/env.py:1128
OTEL_RESOURCE_ATTRIBUTES = os.getenv('OTEL_RESOURCE_ATTRIBUTES', '')  # e.g. key1=val1,key2=val2

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0583d0c846143c62 Environment-variable access.
repo/backend/open_webui/env.py:1129
OTEL_TRACES_SAMPLER = os.getenv('OTEL_TRACES_SAMPLER', 'parentbased_always_on').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ccdd743be0d0d26 Environment-variable access.
repo/backend/open_webui/env.py:1130
OTEL_BASIC_AUTH_USERNAME = os.getenv('OTEL_BASIC_AUTH_USERNAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84ca4df763aa1ba Environment-variable access.
repo/backend/open_webui/env.py:1131
OTEL_BASIC_AUTH_PASSWORD = os.getenv('OTEL_BASIC_AUTH_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d2972307fbdf106 Environment-variable access.
repo/backend/open_webui/env.py:1132
OTEL_METRICS_EXPORT_INTERVAL_MILLIS = int(os.getenv('OTEL_METRICS_EXPORT_INTERVAL_MILLIS', '10000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7fd14b2193e7a42 Environment-variable access.
repo/backend/open_webui/env.py:1134
OTEL_METRICS_BASIC_AUTH_USERNAME = os.getenv('OTEL_METRICS_BASIC_AUTH_USERNAME', OTEL_BASIC_AUTH_USERNAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #563219f91c110913 Environment-variable access.
repo/backend/open_webui/env.py:1135
OTEL_METRICS_BASIC_AUTH_PASSWORD = os.getenv('OTEL_METRICS_BASIC_AUTH_PASSWORD', OTEL_BASIC_AUTH_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4849127da9c3db7e Environment-variable access.
repo/backend/open_webui/env.py:1136
OTEL_LOGS_BASIC_AUTH_USERNAME = os.getenv('OTEL_LOGS_BASIC_AUTH_USERNAME', OTEL_BASIC_AUTH_USERNAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e46599560647f25b Environment-variable access.
repo/backend/open_webui/env.py:1137
OTEL_LOGS_BASIC_AUTH_PASSWORD = os.getenv('OTEL_LOGS_BASIC_AUTH_PASSWORD', OTEL_BASIC_AUTH_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b054cc72f6aad6d Environment-variable access.
repo/backend/open_webui/env.py:1139
OTEL_OTLP_SPAN_EXPORTER = os.getenv('OTEL_OTLP_SPAN_EXPORTER', 'grpc').lower()  # grpc or http

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65ce8b59e393360a Environment-variable access.
repo/backend/open_webui/env.py:1141
OTEL_METRICS_OTLP_SPAN_EXPORTER = os.getenv(
    'OTEL_METRICS_OTLP_SPAN_EXPORTER', OTEL_OTLP_SPAN_EXPORTER
).lower()  # grpc or http

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ce7f0d2e89254a7 Environment-variable access.
repo/backend/open_webui/env.py:1145
OTEL_LOGS_OTLP_SPAN_EXPORTER = os.getenv(
    'OTEL_LOGS_OTLP_SPAN_EXPORTER', OTEL_OTLP_SPAN_EXPORTER
).lower()  # grpc or http

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #488c7a11cf7f9927 Environment-variable access.
repo/backend/open_webui/internal/db.py:242
    database_password = os.environ.get('DATABASE_PASSWORD')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #397472d4b3f94df9 Filesystem access.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:110
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4930a7aeec3e89db Filesystem access.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:235
            with open(output_path, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #894f16e3d2a1a672 Filesystem access.
repo/backend/open_webui/retrieval/loaders/external_document.py:37
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bb8a207fd499d72 Filesystem access.
repo/backend/open_webui/retrieval/loaders/main.py:149
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #115176a78d77c3a5 Filesystem access.
repo/backend/open_webui/retrieval/loaders/main.py:192
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #728b28adc89bee91 Filesystem access.
repo/backend/open_webui/retrieval/loaders/main.py:294
            with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c51035c7532bb095 Filesystem access.
repo/backend/open_webui/retrieval/loaders/mineru.py:97
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #251f35e264885f28 Filesystem access.
repo/backend/open_webui/retrieval/loaders/mineru.py:298
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e0697e271c916da Filesystem access.
repo/backend/open_webui/retrieval/loaders/mistral.py:235
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ec23d22f1b74883 Filesystem access.
repo/backend/open_webui/retrieval/loaders/mistral.py:270
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15e2ef319e9679bd Filesystem access.
repo/backend/open_webui/retrieval/loaders/mistral.py:424
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81ba2cd16e36e710 Filesystem access.
repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:38
            with open(self.file_path, 'rb') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99daa1f49f4a6ef0 Environment-variable access.
repo/backend/open_webui/retrieval/utils.py:1623
    cache_dir = os.getenv('SENTENCE_TRANSFORMERS_HOME')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e68e4ebd5ba4e3e Environment-variable access.
repo/backend/open_webui/retrieval/web/bing.py:68
        os.environ.get('BING_SEARCH_V7_SUBSCRIPTION_KEY', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a49a159c33ae60f0 Environment-variable access.
repo/backend/open_webui/retrieval/web/bing.py:69
        os.environ.get('BING_SEARCH_V7_ENDPOINT', 'https://api.bing.microsoft.com/v7.0/search'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e2be1eff97995d12 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/bocha.py:46
    response = requests.post(url, headers=headers, data=payload, timeout=5)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c5f8fa7b4c56a508 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/brave_llm_context.py:44
    response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #4ad7fae2781e5aa7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/brave_llm_context.py:50
        response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #0a07ad84a0826439 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/exa.py:47
        response = requests.post(f'{EXA_API_BASE}/search', headers=headers, json=payload)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #947aac1bb7262a65 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/kagi.py:26
    response = requests.post(url, headers=headers, json=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d2625b1cfe292db1 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/mojeek.py:24
    response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d82ae36b7ef9dd7b Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/tavily.py:34
    response = requests.post(url, headers=headers, json=data)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #539ae4f1dc9751c3 Environment-variable access.
repo/backend/open_webui/retrieval/web/yandex.py:142
        os.environ.get('YANDEX_WEB_SEARCH_URL', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #262850626322f32c Environment-variable access.
repo/backend/open_webui/retrieval/web/yandex.py:143
        os.environ.get('YANDEX_WEB_SEARCH_API_KEY', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7201f5892646e94a Environment-variable access.
repo/backend/open_webui/retrieval/web/yandex.py:144
        os.environ.get('YANDEX_WEB_SEARCH_CONFIG', '{"query": {"searchType": "SEARCH_TYPE_COM"}}'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #039c65c54d19e6ea Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/ydc.py:37
    response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #0b92687fbcf765e1 Filesystem access.
repo/backend/open_webui/routers/audio.py:681
                with open(file_path, 'rb') as audio_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #567e92ccff3c69db Filesystem access.
repo/backend/open_webui/routers/audio.py:828
    form_data.add_field('audio', open(file_path, 'rb'), filename=filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d67466e3a3334f Filesystem access.
repo/backend/open_webui/routers/audio.py:1005
            form_data.add_field('file', open(file_path, 'rb'), filename=filename, content_type=mime_type)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aac9f7ebe522e530 Filesystem access.
repo/backend/open_webui/routers/audio.py:1212
            with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaafda3b5b70442d Environment-variable access.
repo/backend/open_webui/routers/evaluations.py:65
EMBEDDING_MODEL_NAME = os.environ.get('AUXILIARY_EMBEDDING_MODEL', 'TaylorAI/bge-micro-v2')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #140032016f33c773 Filesystem access.
repo/backend/open_webui/routers/files.py:78
        with open(resolved, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #469d65baca399aff Filesystem access.
repo/backend/open_webui/routers/images.py:939
                    with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cb3b10ec27e66a8 Filesystem access.
repo/backend/open_webui/routers/ollama.py:1480
        with open(file_path, 'ab+') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c7c4ac061797adf Filesystem access.
repo/backend/open_webui/routers/ollama.py:1494
                    with open(file_path, 'rb') as blob_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b63f0d2100a9c5a Filesystem access.
repo/backend/open_webui/routers/ollama.py:1560
        with open(file_path, 'wb') as out_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb13ddca1211aa10 Filesystem access.
repo/backend/open_webui/routers/ollama.py:1579
            with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9170020f533b99cb Filesystem access.
repo/backend/open_webui/routers/ollama.py:1588
                with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #121941f7fbcdd11d Filesystem access.
repo/backend/open_webui/routers/openai.py:400
            with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac5590ae96bb02ee Filesystem access.
repo/backend/open_webui/routers/openai.py:404
            with open(file_body_path, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0891aa9cad3f971 Filesystem access.
repo/backend/open_webui/routers/pipelines.py:242
            with open(file_path, 'wb') as buffer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f2aa02950028071 Filesystem access.
repo/backend/open_webui/routers/pipelines.py:252
            with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a348f5aa727da0c Environment-variable access.
repo/backend/open_webui/routers/retrieval.py:1567
            cache_dir=os.getenv('SENTENCE_TRANSFORMERS_HOME') or os.getenv('HF_HUB_CACHE'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #773b986a3b2061a4 Filesystem access.
repo/backend/open_webui/storage/provider.py:65
        with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8f33a880ccd051f Filesystem access.
repo/backend/open_webui/storage/provider.py:303
            with open(local_file_path, 'wb') as download_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1ecd5090281b7f9 Filesystem access.
repo/backend/open_webui/utils/auth.py:81
    with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bc66102208e2d71 Environment-variable access.
repo/backend/open_webui/utils/automations.py:43
SCHEDULER_POLL_INTERVAL = int(os.getenv('SCHEDULER_POLL_INTERVAL', os.getenv('AUTOMATION_POLL_INTERVAL', '10')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81916efa385670c8 Environment-variable access.
repo/backend/open_webui/utils/automations.py:44
CALENDAR_ALERT_LOOKAHEAD_MINUTES = int(os.getenv('CALENDAR_ALERT_LOOKAHEAD_MINUTES', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82ac7e1fceddb33f Filesystem access.
repo/backend/open_webui/utils/files.py:203
            with open(file_path, 'rb') as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c48699911465f42b Filesystem access.
repo/backend/open_webui/utils/misc.py:678
    with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de920632e1f7afa1 Filesystem access.
repo/backend/open_webui/utils/pdf_generator.py:30
        self.css = Path(STATIC_DIR / 'assets' / 'pdf-style.css').read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0fe27b78a08b050 Filesystem access.
repo/backend/open_webui/utils/plugin.py:231
        with open(temp_file.name, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a92f3b73fd3480e Filesystem access.
repo/backend/open_webui/utils/plugin.py:276
        with open(temp_file.name, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3d1723e8933511d Environment-variable access.
repo/backend/open_webui/utils/security_headers.py:63
        value = os.environ.get(env_var, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd0cf760cbcede74 Filesystem access.
repo/contribution_stats.py:11
        with open(filepath, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aad02f37af6433ef Environment-variable access.
repo/hatch_build.py:20
        os.environ['APP_BUILD_HASH'] = version

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python)

python first-party
high pii_flow production #a4fc57d7c4604677 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:188 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:184 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:188
        r = requests.get(f'https://api.openwebui.com/api/v1/custom/{CUSTOM_NAME}')

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e971fbf35024b66c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:196 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:184 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:196
                r = requests.get(url, stream=True)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #36fd7b9044f76bc6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/config.py:205 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:184 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/config.py:205
                r = requests.get(url, stream=True)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #e9990a4da664dabd User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:71 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:69 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:71
            response = requests.get(url, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #2d3d58bbee4530a0 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:112 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:112
                response = requests.post(
                    f'{self.api_base_url}',
                    data=form_data,
                    files=files,
                    headers=headers,
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #33e9e7884e13f046 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:147 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:89 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/datalab_marker.py:147
                    poll_response = requests.get(check_url, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #acedd2eb5e98f385 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/external_document.py:62 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/external_document.py:45 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/external_document.py:62
            response = requests.put(f'{url}/process', data=data, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #753e5bbc8f130b78 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/main.py:197 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/main.py:195 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/main.py:197
            r = requests.post(
                f'{self.url}/v1/convert/file',
                files={
                    'files': (
                        self.file_path,
                        f,
                        self.mime_type or 'application/octet-stream',
                    )
                },
                data={
                    'image_export_mode': 'placeholder',
                    'md_page_break_placeholder': page_break_marker,
                    **self.params,
                },
                headers=headers,
                verify=AIOHTTP_CLIENT_SESSION_SSL,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #fcd8cc05bd06c9b8 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:70 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:52 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/microsoft_web_iq.py:70
            response = requests.post(
                f'{self.api_base_url}/browse',
                json=payload,
                headers=headers,
                timeout=request_timeout,
                verify=self.verify_ssl,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #f3d4a22b21b2039c User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:239 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:216 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:239
            response = requests.post(
                f'{self.api_url}/file-urls/batch',
                headers=headers,
                json=request_body,
                timeout=30,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #56f395db02e65637 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/mineru.py:341 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:331 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/mineru.py:341
                response = requests.get(
                    f'{self.api_url}/extract-results/batch/{batch_id}',
                    headers=headers,
                    timeout=30,
                )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #0e4cec07679880a7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:61 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:45 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:61
            response = requests.post(f'{self.api_url}/layout-parsing', json=payload, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #7ca6dde28b3cb175 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/loaders/tavily.py:67 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/tavily.py:61 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/loaders/tavily.py:67
                response = requests.post(self.api_url, headers=headers, json=payload)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow production #111582739c3727f9 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
repo/backend/open_webui/retrieval/models/external.py:49 · flow /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/models/external.py:43 → /tmp/closeopen-cqchdknf/repo/backend/open_webui/retrieval/models/external.py:49
            r = requests.post(
                f'{self.url}',
                headers=headers,
                json=payload,
                timeout=self.timeout,
                verify=REQUESTS_VERIFY,
            )

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry production #b0d359e2fd950e17 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/auth.py:346
            from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7185967f6d68c285 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/auth.py:391
                    from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ac1e0c222c1a09f4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/auth.py:465
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #98596a0e1978c867 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/logger.py:123
        from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #c81d1cc5cd49c869 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/constants.py:1
from opentelemetry.semconv._incubating.attributes import (
    db_attributes as _db,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #69fc0d43e8d19a9d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/constants.py:4
from opentelemetry.semconv._incubating.attributes import (
    http_attributes as _http,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bca595af6da85787 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:12
from opentelemetry.instrumentation.aiohttp_client import AioHttpClientInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #655a31d1122a40d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:13
from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #576e40e727ba81d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:14
from opentelemetry.instrumentation.httpx import (
    HTTPXClientInstrumentor,
    RequestInfo,
    ResponseInfo,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9675a3a68ca71716 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:19
from opentelemetry.instrumentation.instrumentor import BaseInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6cdd4d706eaebe4e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:20
from opentelemetry.instrumentation.logging import LoggingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #114614a1a18a574d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:21
from opentelemetry.instrumentation.redis import RedisInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a41262cf50c17c30 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:22
from opentelemetry.instrumentation.requests import RequestsInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9447911c06699dd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:23
from opentelemetry.instrumentation.sqlalchemy import SQLAlchemyInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d09b3776ce124d09 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:24
from opentelemetry.instrumentation.system_metrics import SystemMetricsInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9f7be82d9d66e0c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:25
from opentelemetry.trace import Span, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b9f629b0593ab581 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:12
from opentelemetry._logs import set_logger_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1731c8915514dfc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:13
from opentelemetry.exporter.otlp.proto.grpc._log_exporter import OTLPLogExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b4971abf30c7fdda Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:14
from opentelemetry.exporter.otlp.proto.http._log_exporter import (
    OTLPLogExporter as HttpOTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #65ac96bba2d595b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:17
from opentelemetry.sdk._logs import (
    LoggerProvider,
    LoggingHandler,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efd1ccc1ed78128e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:21
from opentelemetry.sdk._logs.export import BatchLogRecordProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4d84a9e80482a85 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:22
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cb2be3cfb7333947 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:37
from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #260c8f89dfe85bf1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:38
from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import (
    OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e9c804d968abdaec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:41
from opentelemetry.exporter.otlp.proto.http.metric_exporter import (
    OTLPMetricExporter as OTLPHttpMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cdfc5cee81d04e32 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:44
from opentelemetry.sdk.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8fef32d25da6162e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:45
from opentelemetry.sdk.metrics.export import (
    PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #240d97ee3785058f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:48
from opentelemetry.sdk.metrics.view import View

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7f096d3969aa4714 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:49
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7b85ae5efac38004 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:16
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #526c1ef042f79dc4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:17
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7c7cab1295fbd2ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:18
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
    OTLPSpanExporter as HttpOTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec026d8cca3d4629 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:21
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efff5f43f51a40c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:22
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #562569bfdf2f875c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:23
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 904 low-confidence finding(s)
low env_fs production #e257e020d77028f3 Environment-variable access.
repo/backend/open_webui/__init__.py:37
    os.environ['FROM_INIT_PY'] = 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31d47a94611b23bc Environment-variable access.
repo/backend/open_webui/__init__.py:38
    if os.getenv('WEBUI_SECRET_KEY') is None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87ffe4dd92f31015 Environment-variable access.
repo/backend/open_webui/__init__.py:41
            key_length = int(os.getenv('WEBUI_SECRET_KEY_LENGTH', DEFAULT_SECRET_KEY_LENGTH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8aa99cec4c5b3efa Environment-variable access.
repo/backend/open_webui/__init__.py:47
        os.environ['WEBUI_SECRET_KEY'] = KEY_FILE.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bba8f9a04e1a8b1e Filesystem access.
repo/backend/open_webui/__init__.py:47
        os.environ['WEBUI_SECRET_KEY'] = KEY_FILE.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e688dbec427d6c70 Environment-variable access.
repo/backend/open_webui/__init__.py:49
    if os.getenv('USE_CUDA_DOCKER', 'false') == 'true':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86a3814d7b6203b8 Environment-variable access.
repo/backend/open_webui/__init__.py:51
        LD_LIBRARY_PATH = os.getenv('LD_LIBRARY_PATH', '').split(':')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0e1972363e54ee0 Environment-variable access.
repo/backend/open_webui/__init__.py:52
        os.environ['LD_LIBRARY_PATH'] = ':'.join(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8915f3409dd5be66 Environment-variable access.
repo/backend/open_webui/__init__.py:70
            os.environ['USE_CUDA_DOCKER'] = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd1f2a4a0cb9a477 Environment-variable access.
repo/backend/open_webui/__init__.py:71
            os.environ['LD_LIBRARY_PATH'] = ':'.join(LD_LIBRARY_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e14d1a63a3051f9 Filesystem access.
repo/backend/open_webui/config.py:86
    with open(f'{DATA_DIR}/config.json', 'r') as _f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70ac59531e315538 Environment-variable access.
repo/backend/open_webui/config.py:95
STATIC_DIR = Path(os.getenv('STATIC_DIR', OPEN_WEBUI_DIR / 'static')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c7fd1c9805bd725 Environment-variable access.
repo/backend/open_webui/config.py:144
STORAGE_PROVIDER = os.getenv('STORAGE_PROVIDER', 'local')  # defaults to local, s3

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79db820c84edc11d Environment-variable access.
repo/backend/open_webui/config.py:145
STORAGE_LOCAL_CACHE = os.getenv('STORAGE_LOCAL_CACHE', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8873d7c2590fd93f Environment-variable access.
repo/backend/open_webui/config.py:147
S3_ACCESS_KEY_ID = os.getenv('S3_ACCESS_KEY_ID', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c753d081e3112f2 Environment-variable access.
repo/backend/open_webui/config.py:148
S3_SECRET_ACCESS_KEY = os.getenv('S3_SECRET_ACCESS_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11ff532bfbc53b00 Environment-variable access.
repo/backend/open_webui/config.py:149
S3_REGION_NAME = os.getenv('S3_REGION_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5c1716c64cf47d3 Environment-variable access.
repo/backend/open_webui/config.py:150
S3_BUCKET_NAME = os.getenv('S3_BUCKET_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e0cf6c831224ea6 Environment-variable access.
repo/backend/open_webui/config.py:151
S3_KEY_PREFIX = os.getenv('S3_KEY_PREFIX', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ee078012e938783 Environment-variable access.
repo/backend/open_webui/config.py:152
S3_ENDPOINT_URL = os.getenv('S3_ENDPOINT_URL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ded537e75b56bbd Environment-variable access.
repo/backend/open_webui/config.py:153
S3_USE_ACCELERATE_ENDPOINT = os.getenv('S3_USE_ACCELERATE_ENDPOINT', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2823cd70a884ead Environment-variable access.
repo/backend/open_webui/config.py:154
S3_ADDRESSING_STYLE = os.getenv('S3_ADDRESSING_STYLE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #179c1645912bbb25 Environment-variable access.
repo/backend/open_webui/config.py:155
S3_ENABLE_TAGGING = os.getenv('S3_ENABLE_TAGGING', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9036d0bb5154c0c9 Environment-variable access.
repo/backend/open_webui/config.py:157
GCS_BUCKET_NAME = os.getenv('GCS_BUCKET_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a9bcaf9336acb81 Environment-variable access.
repo/backend/open_webui/config.py:158
GOOGLE_APPLICATION_CREDENTIALS_JSON = os.getenv('GOOGLE_APPLICATION_CREDENTIALS_JSON', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2c18104be15fa52 Environment-variable access.
repo/backend/open_webui/config.py:160
AZURE_STORAGE_ENDPOINT = os.getenv('AZURE_STORAGE_ENDPOINT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2341c09bba04f043 Environment-variable access.
repo/backend/open_webui/config.py:161
AZURE_STORAGE_CONTAINER_NAME = os.getenv('AZURE_STORAGE_CONTAINER_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #62dab74f01411995 Environment-variable access.
repo/backend/open_webui/config.py:162
AZURE_STORAGE_KEY = os.getenv('AZURE_STORAGE_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88f9bac2e538ac6f Environment-variable access.
repo/backend/open_webui/config.py:184
CUSTOM_NAME = os.getenv('CUSTOM_NAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac3fe6f883a58bac Filesystem access.
repo/backend/open_webui/config.py:198
                    with open(f'{STATIC_DIR}/favicon.png', 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #570d044aa043d7ab Filesystem access.
repo/backend/open_webui/config.py:207
                    with open(f'{STATIC_DIR}/splash.png', 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #582ee82eed523520 Environment-variable access.
repo/backend/open_webui/config.py:221
ENABLE_DIRECT_CONNECTIONS = os.getenv('ENABLE_DIRECT_CONNECTIONS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #752d51f4f0e2c8e0 Environment-variable access.
repo/backend/open_webui/config.py:227
ENABLE_OLLAMA_API = os.getenv('ENABLE_OLLAMA_API', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bc57d4ae8f8edae Environment-variable access.
repo/backend/open_webui/config.py:229
OLLAMA_API_BASE_URL = os.getenv('OLLAMA_API_BASE_URL', 'http://localhost:11434/api')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cd7faa83b1c3b82 Environment-variable access.
repo/backend/open_webui/config.py:231
OLLAMA_BASE_URL = os.getenv('OLLAMA_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65c4617be7c5bdbd Environment-variable access.
repo/backend/open_webui/config.py:237
K8S_FLAG = os.getenv('K8S_FLAG', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0922d6528b7c732 Environment-variable access.
repo/backend/open_webui/config.py:238
USE_OLLAMA_DOCKER = os.getenv('USE_OLLAMA_DOCKER', 'false')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0bdfc66dc9616e4 Environment-variable access.
repo/backend/open_webui/config.py:282
if os.getenv('OLLAMA_BASE_URL', '') in ('', '/ollama') and not os.getenv('OLLAMA_BASE_URLS', ''):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #624bba92604742c9 Environment-variable access.
repo/backend/open_webui/config.py:286
OLLAMA_BASE_URLS = os.getenv('OLLAMA_BASE_URLS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85a1c2ca2dc104b0 Environment-variable access.
repo/backend/open_webui/config.py:293
_ollama_api_configs = os.getenv('OLLAMA_API_CONFIGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86b831016bc059c7 Environment-variable access.
repo/backend/open_webui/config.py:309
ENABLE_OPENAI_API = os.getenv('ENABLE_OPENAI_API', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46529e32ccd33871 Environment-variable access.
repo/backend/open_webui/config.py:312
OPENAI_API_KEY = os.getenv('OPENAI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8deab5aefaa66adb Environment-variable access.
repo/backend/open_webui/config.py:313
OPENAI_API_BASE_URL = os.getenv('OPENAI_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18e88cfc078bd7bc Environment-variable access.
repo/backend/open_webui/config.py:315
GEMINI_API_KEY = os.getenv('GEMINI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f95d02b7a4b3267 Environment-variable access.
repo/backend/open_webui/config.py:316
GEMINI_API_BASE_URL = os.getenv('GEMINI_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34d459c2ae55534f Environment-variable access.
repo/backend/open_webui/config.py:325
OPENAI_API_KEYS = os.getenv('OPENAI_API_KEYS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b5abf0f847258f0 Environment-variable access.
repo/backend/open_webui/config.py:331
OPENAI_API_BASE_URLS = os.getenv('OPENAI_API_BASE_URLS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #755114463a249694 Environment-variable access.
repo/backend/open_webui/config.py:340
_openai_api_configs = os.getenv('OPENAI_API_CONFIGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #886fd59638a86acf Environment-variable access.
repo/backend/open_webui/config.py:364
ENABLE_BASE_MODELS_CACHE = os.getenv('ENABLE_BASE_MODELS_CACHE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1041fb9422f9350b Environment-variable access.
repo/backend/open_webui/config.py:372
    tool_server_connections = json.loads(os.getenv('TOOL_SERVER_CONNECTIONS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be6c43103110a1be Environment-variable access.
repo/backend/open_webui/config.py:380
OAUTH_CLIENT_TIMEOUT = os.getenv('OAUTH_CLIENT_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80ecf8a98008770b Environment-variable access.
repo/backend/open_webui/config.py:386
terminal_server_connections = json.loads(os.getenv('TERMINAL_SERVER_CONNECTIONS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27367158d9ae02d8 Environment-variable access.
repo/backend/open_webui/config.py:391
    TERMINAL_PROXY_HEADERS = json.loads(os.getenv('TERMINAL_PROXY_HEADERS', '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b7f2639ca087ebd Environment-variable access.
repo/backend/open_webui/config.py:399
ENABLE_CODE_EXECUTION = os.getenv('ENABLE_CODE_EXECUTION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1728de5320708121 Environment-variable access.
repo/backend/open_webui/config.py:401
CODE_EXECUTION_ENGINE = os.getenv('CODE_EXECUTION_ENGINE', 'pyodide')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a1007d54b8b05cf9 Environment-variable access.
repo/backend/open_webui/config.py:403
CODE_EXECUTION_JUPYTER_URL = os.getenv('CODE_EXECUTION_JUPYTER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5180cd4494c47129 Environment-variable access.
repo/backend/open_webui/config.py:405
CODE_EXECUTION_JUPYTER_AUTH = os.getenv('CODE_EXECUTION_JUPYTER_AUTH', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c90e668266b7b69 Environment-variable access.
repo/backend/open_webui/config.py:407
CODE_EXECUTION_JUPYTER_AUTH_TOKEN = os.getenv('CODE_EXECUTION_JUPYTER_AUTH_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e4414d5094bccd26 Environment-variable access.
repo/backend/open_webui/config.py:410
CODE_EXECUTION_JUPYTER_AUTH_PASSWORD = os.getenv('CODE_EXECUTION_JUPYTER_AUTH_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae6731b84c18a68b Environment-variable access.
repo/backend/open_webui/config.py:412
CODE_EXECUTION_JUPYTER_TIMEOUT = int(os.getenv('CODE_EXECUTION_JUPYTER_TIMEOUT', '60'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #655ed2b1e6f33c17 Environment-variable access.
repo/backend/open_webui/config.py:414
ENABLE_CODE_INTERPRETER = os.getenv('ENABLE_CODE_INTERPRETER', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #388859d3db3e25c8 Environment-variable access.
repo/backend/open_webui/config.py:416
ENABLE_MEMORIES = os.getenv('ENABLE_MEMORIES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0878c77c29a02647 Environment-variable access.
repo/backend/open_webui/config.py:417
ENABLE_MEMORY_SYSTEM_CONTEXT = os.getenv('ENABLE_MEMORY_SYSTEM_CONTEXT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7367148cad587faa Environment-variable access.
repo/backend/open_webui/config.py:418
ENABLE_MEMORY_BACKGROUND_REVIEW = os.getenv('ENABLE_MEMORY_BACKGROUND_REVIEW', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b344952832aee3a3 Environment-variable access.
repo/backend/open_webui/config.py:419
MEMORIES_REVIEW_INTERVAL_TURNS = int(os.getenv('MEMORIES_REVIEW_INTERVAL_TURNS', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1925c9ea93a2788c Environment-variable access.
repo/backend/open_webui/config.py:420
MEMORIES_USER_CHAR_LIMIT = int(os.getenv('MEMORIES_USER_CHAR_LIMIT', '2000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05ee3232c05cd848 Environment-variable access.
repo/backend/open_webui/config.py:421
MEMORIES_CONTEXT_CHAR_LIMIT = int(os.getenv('MEMORIES_CONTEXT_CHAR_LIMIT', '2000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bf6738c79dbd29e Environment-variable access.
repo/backend/open_webui/config.py:423
CODE_INTERPRETER_ENGINE = os.getenv('CODE_INTERPRETER_ENGINE', 'pyodide')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #50e2921e13614428 Environment-variable access.
repo/backend/open_webui/config.py:425
CODE_INTERPRETER_PROMPT_TEMPLATE = os.getenv('CODE_INTERPRETER_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c785255ca7d6603 Environment-variable access.
repo/backend/open_webui/config.py:427
CODE_INTERPRETER_JUPYTER_URL = os.getenv('CODE_INTERPRETER_JUPYTER_URL', os.getenv('CODE_EXECUTION_JUPYTER_URL', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9adada2b627a7cf8 Environment-variable access.
repo/backend/open_webui/config.py:429
CODE_INTERPRETER_JUPYTER_AUTH = os.getenv(
    'CODE_INTERPRETER_JUPYTER_AUTH',
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34588a3ae561d1ce Environment-variable access.
repo/backend/open_webui/config.py:431
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #213dd6014c68381d Environment-variable access.
repo/backend/open_webui/config.py:434
CODE_INTERPRETER_JUPYTER_AUTH_TOKEN = os.getenv(
    'CODE_INTERPRETER_JUPYTER_AUTH_TOKEN',
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_TOKEN', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7747d6a215e5c3f2 Environment-variable access.
repo/backend/open_webui/config.py:436
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_TOKEN', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbda875492a66920 Environment-variable access.
repo/backend/open_webui/config.py:440
CODE_INTERPRETER_JUPYTER_AUTH_PASSWORD = os.getenv(
    'CODE_INTERPRETER_JUPYTER_AUTH_PASSWORD',
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_PASSWORD', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #367ca88e1adcd176 Environment-variable access.
repo/backend/open_webui/config.py:442
    os.getenv('CODE_EXECUTION_JUPYTER_AUTH_PASSWORD', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a5f27c9f373dc3c Environment-variable access.
repo/backend/open_webui/config.py:446
    os.getenv(
        'CODE_INTERPRETER_JUPYTER_TIMEOUT',
        os.getenv('CODE_EXECUTION_JUPYTER_TIMEOUT', '60'),
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5c3249811c3124dc Environment-variable access.
repo/backend/open_webui/config.py:448
        os.getenv('CODE_EXECUTION_JUPYTER_TIMEOUT', '60'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb03e867f412b857 Environment-variable access.
repo/backend/open_webui/config.py:453
    library.strip() for library in os.getenv('CODE_INTERPRETER_BLOCKED_MODULES', '').split(',') if library.strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c18e3febe007d51c Environment-variable access.
repo/backend/open_webui/config.py:493
VECTOR_DB = os.getenv('VECTOR_DB', 'chroma')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb6c8e7b2d238501 Environment-variable access.
repo/backend/open_webui/config.py:501
    CHROMA_TENANT = os.getenv('CHROMA_TENANT', chromadb.DEFAULT_TENANT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #70f0211bccbe954c Environment-variable access.
repo/backend/open_webui/config.py:502
    CHROMA_DATABASE = os.getenv('CHROMA_DATABASE', chromadb.DEFAULT_DATABASE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bc01ee126a248ad Environment-variable access.
repo/backend/open_webui/config.py:503
    CHROMA_HTTP_HOST = os.getenv('CHROMA_HTTP_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4b2aa3e6d71de6f6 Environment-variable access.
repo/backend/open_webui/config.py:504
    CHROMA_HTTP_PORT = int(os.getenv('CHROMA_HTTP_PORT', '8000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae8c600e2aa228e9 Environment-variable access.
repo/backend/open_webui/config.py:505
    CHROMA_CLIENT_AUTH_PROVIDER = os.getenv('CHROMA_CLIENT_AUTH_PROVIDER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7c4843936f0ee15 Environment-variable access.
repo/backend/open_webui/config.py:506
    CHROMA_CLIENT_AUTH_CREDENTIALS = os.getenv('CHROMA_CLIENT_AUTH_CREDENTIALS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #203995d1dca1cf9f Environment-variable access.
repo/backend/open_webui/config.py:508
    CHROMA_HTTP_HEADERS = os.getenv('CHROMA_HTTP_HEADERS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #268dfbd7ecd7714a Environment-variable access.
repo/backend/open_webui/config.py:513
    CHROMA_HTTP_SSL = os.getenv('CHROMA_HTTP_SSL', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85729ff1911b9a32 Environment-variable access.
repo/backend/open_webui/config.py:518
MARIADB_VECTOR_DB_URL = os.getenv('MARIADB_VECTOR_DB_URL', '').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8c087e1f9c1b791c Environment-variable access.
repo/backend/open_webui/config.py:521
    os.getenv('MARIADB_VECTOR_INITIALIZE_MAX_VECTOR_LENGTH', '1536').strip() or '1536'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b5e5f14a23c42b02 Environment-variable access.
repo/backend/open_webui/config.py:527
MARIADB_VECTOR_DISTANCE_STRATEGY = os.getenv('MARIADB_VECTOR_DISTANCE_STRATEGY', 'cosine').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #789ba4c6d9152652 Environment-variable access.
repo/backend/open_webui/config.py:530
MARIADB_VECTOR_INDEX_M = int(os.getenv('MARIADB_VECTOR_INDEX_M', '8').strip() or '8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #847c4f1e42d0e9cb Environment-variable access.
repo/backend/open_webui/config.py:533
MARIADB_VECTOR_POOL_SIZE = os.getenv('MARIADB_VECTOR_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19920aea984436ee Environment-variable access.
repo/backend/open_webui/config.py:541
MARIADB_VECTOR_POOL_MAX_OVERFLOW = os.getenv('MARIADB_VECTOR_POOL_MAX_OVERFLOW', 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6273b53feac5ae64 Environment-variable access.
repo/backend/open_webui/config.py:551
MARIADB_VECTOR_POOL_TIMEOUT = os.getenv('MARIADB_VECTOR_POOL_TIMEOUT', 30)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9688d9dc45f2436 Environment-variable access.
repo/backend/open_webui/config.py:561
MARIADB_VECTOR_POOL_RECYCLE = os.getenv('MARIADB_VECTOR_POOL_RECYCLE', 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ef6adf0f2919a30 Environment-variable access.
repo/backend/open_webui/config.py:587
MILVUS_URI = os.getenv('MILVUS_URI', f'{DATA_DIR}/vector_db/milvus.db')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed8bd3d7f6baa06f Environment-variable access.
repo/backend/open_webui/config.py:588
MILVUS_DB = os.getenv('MILVUS_DB', 'default')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7b53e4c30773425 Environment-variable access.
repo/backend/open_webui/config.py:589
MILVUS_TOKEN = os.getenv('MILVUS_TOKEN', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88b09612f5c7c94f Environment-variable access.
repo/backend/open_webui/config.py:590
MILVUS_INDEX_TYPE = os.getenv('MILVUS_INDEX_TYPE', 'HNSW')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d05cde9bcb18a2df Environment-variable access.
repo/backend/open_webui/config.py:591
MILVUS_METRIC_TYPE = os.getenv('MILVUS_METRIC_TYPE', 'COSINE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c841c8273c425c6 Environment-variable access.
repo/backend/open_webui/config.py:592
MILVUS_HNSW_M = int(os.getenv('MILVUS_HNSW_M', '16'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7fe9c9f15af6cc0 Environment-variable access.
repo/backend/open_webui/config.py:593
MILVUS_HNSW_EFCONSTRUCTION = int(os.getenv('MILVUS_HNSW_EFCONSTRUCTION', '100'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d62f8ed334620614 Environment-variable access.
repo/backend/open_webui/config.py:594
MILVUS_IVF_FLAT_NLIST = int(os.getenv('MILVUS_IVF_FLAT_NLIST', '128'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8843eddd04d657cb Environment-variable access.
repo/backend/open_webui/config.py:595
MILVUS_DISKANN_MAX_DEGREE = int(os.getenv('MILVUS_DISKANN_MAX_DEGREE', '56'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a790f201e3d92f8 Environment-variable access.
repo/backend/open_webui/config.py:596
MILVUS_DISKANN_SEARCH_LIST_SIZE = int(os.getenv('MILVUS_DISKANN_SEARCH_LIST_SIZE', '100'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6a0d9334a9c26dc7 Environment-variable access.
repo/backend/open_webui/config.py:597
ENABLE_MILVUS_MULTITENANCY_MODE = os.getenv('ENABLE_MILVUS_MULTITENANCY_MODE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51703947164ba7c7 Environment-variable access.
repo/backend/open_webui/config.py:599
MILVUS_COLLECTION_PREFIX = os.getenv('MILVUS_COLLECTION_PREFIX', 'open_webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #476f5b7fda9b6622 Environment-variable access.
repo/backend/open_webui/config.py:602
QDRANT_URI = os.getenv('QDRANT_URI', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba97bd77f47483d8 Environment-variable access.
repo/backend/open_webui/config.py:603
QDRANT_API_KEY = os.getenv('QDRANT_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #905cdfc0406913a8 Environment-variable access.
repo/backend/open_webui/config.py:604
QDRANT_ON_DISK = os.getenv('QDRANT_ON_DISK', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #777c6600c518b076 Environment-variable access.
repo/backend/open_webui/config.py:605
QDRANT_PREFER_GRPC = os.getenv('QDRANT_PREFER_GRPC', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4345bdb3596eb033 Environment-variable access.
repo/backend/open_webui/config.py:606
QDRANT_GRPC_PORT = int(os.getenv('QDRANT_GRPC_PORT', '6334'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #93b35f921442c501 Environment-variable access.
repo/backend/open_webui/config.py:607
QDRANT_TIMEOUT = int(os.getenv('QDRANT_TIMEOUT', '5'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df54734021aea60e Environment-variable access.
repo/backend/open_webui/config.py:608
QDRANT_HNSW_M = int(os.getenv('QDRANT_HNSW_M', '16'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #972b1a62d6654a47 Environment-variable access.
repo/backend/open_webui/config.py:609
ENABLE_QDRANT_MULTITENANCY_MODE = os.getenv('ENABLE_QDRANT_MULTITENANCY_MODE', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7868c26067e0446 Environment-variable access.
repo/backend/open_webui/config.py:610
QDRANT_COLLECTION_PREFIX = os.getenv('QDRANT_COLLECTION_PREFIX', 'open-webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caf2159c6aa9a905 Environment-variable access.
repo/backend/open_webui/config.py:612
WEAVIATE_HTTP_HOST = os.getenv('WEAVIATE_HTTP_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3e4559714fb1710 Environment-variable access.
repo/backend/open_webui/config.py:613
WEAVIATE_GRPC_HOST = os.getenv('WEAVIATE_GRPC_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e940827cd79ffaa3 Environment-variable access.
repo/backend/open_webui/config.py:614
WEAVIATE_HTTP_PORT = int(os.getenv('WEAVIATE_HTTP_PORT', '8080'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #650be4d2a2bc2b2d Environment-variable access.
repo/backend/open_webui/config.py:615
WEAVIATE_GRPC_PORT = int(os.getenv('WEAVIATE_GRPC_PORT', '50051'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cc9aa85a99f3c6d Environment-variable access.
repo/backend/open_webui/config.py:616
WEAVIATE_API_KEY = os.getenv('WEAVIATE_API_KEY')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40399942cb8f9c94 Environment-variable access.
repo/backend/open_webui/config.py:617
WEAVIATE_HTTP_SECURE = os.getenv('WEAVIATE_HTTP_SECURE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4be5873f3cc43289 Environment-variable access.
repo/backend/open_webui/config.py:618
WEAVIATE_GRPC_SECURE = os.getenv('WEAVIATE_GRPC_SECURE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #daf4349aec15408b Environment-variable access.
repo/backend/open_webui/config.py:619
WEAVIATE_SKIP_INIT_CHECKS = os.getenv('WEAVIATE_SKIP_INIT_CHECKS', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #155d9ff37e7f13ec Environment-variable access.
repo/backend/open_webui/config.py:622
OPENSEARCH_URI = os.getenv('OPENSEARCH_URI', 'https://localhost:9200')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d34185a3853987e5 Environment-variable access.
repo/backend/open_webui/config.py:623
OPENSEARCH_SSL = os.getenv('OPENSEARCH_SSL', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c9986bc0228ebedf Environment-variable access.
repo/backend/open_webui/config.py:624
OPENSEARCH_CERT_VERIFY = os.getenv('OPENSEARCH_CERT_VERIFY', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ca79cdcaf2896fb Environment-variable access.
repo/backend/open_webui/config.py:625
OPENSEARCH_USERNAME = os.getenv('OPENSEARCH_USERNAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7cbcc10c87007d5 Environment-variable access.
repo/backend/open_webui/config.py:626
OPENSEARCH_PASSWORD = os.getenv('OPENSEARCH_PASSWORD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2aa5d46cf0219011 Environment-variable access.
repo/backend/open_webui/config.py:629
ELASTICSEARCH_URL = os.getenv('ELASTICSEARCH_URL', 'https://localhost:9200')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63688483fa3caab6 Environment-variable access.
repo/backend/open_webui/config.py:630
ELASTICSEARCH_CA_CERTS = os.getenv('ELASTICSEARCH_CA_CERTS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bfbb86505bb1165 Environment-variable access.
repo/backend/open_webui/config.py:631
ELASTICSEARCH_API_KEY = os.getenv('ELASTICSEARCH_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73af8db101ba30bb Environment-variable access.
repo/backend/open_webui/config.py:632
ELASTICSEARCH_USERNAME = os.getenv('ELASTICSEARCH_USERNAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #423898136c31f5ea Environment-variable access.
repo/backend/open_webui/config.py:633
ELASTICSEARCH_PASSWORD = os.getenv('ELASTICSEARCH_PASSWORD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e2a84622ecd9d08 Environment-variable access.
repo/backend/open_webui/config.py:634
ELASTICSEARCH_CLOUD_ID = os.getenv('ELASTICSEARCH_CLOUD_ID', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #053d79e2af1ebbd7 Environment-variable access.
repo/backend/open_webui/config.py:635
SSL_ASSERT_FINGERPRINT = os.getenv('SSL_ASSERT_FINGERPRINT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #36e5bdf5c9a37ee6 Environment-variable access.
repo/backend/open_webui/config.py:636
ELASTICSEARCH_INDEX_PREFIX = os.getenv('ELASTICSEARCH_INDEX_PREFIX', 'open_webui_collections')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3139af5be03b4a0f Environment-variable access.
repo/backend/open_webui/config.py:638
PGVECTOR_DB_URL = os.getenv('PGVECTOR_DB_URL', DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c419fb05d04fbae Environment-variable access.
repo/backend/open_webui/config.py:643
PGVECTOR_INITIALIZE_MAX_VECTOR_LENGTH = int(os.getenv('PGVECTOR_INITIALIZE_MAX_VECTOR_LENGTH', '1536'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c8fd91f633debca Environment-variable access.
repo/backend/open_webui/config.py:645
PGVECTOR_USE_HALFVEC = os.getenv('PGVECTOR_USE_HALFVEC', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #52fe810b67b61bdd Environment-variable access.
repo/backend/open_webui/config.py:655
PGVECTOR_CREATE_EXTENSION = os.getenv('PGVECTOR_CREATE_EXTENSION', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #095b16cfe4474b45 Environment-variable access.
repo/backend/open_webui/config.py:656
PGVECTOR_PGCRYPTO = os.getenv('PGVECTOR_PGCRYPTO', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87e6c01198adfbbe Environment-variable access.
repo/backend/open_webui/config.py:657
PGVECTOR_PGCRYPTO_KEY = os.getenv('PGVECTOR_PGCRYPTO_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f52753caa7fa7267 Environment-variable access.
repo/backend/open_webui/config.py:662
PGVECTOR_POOL_SIZE = os.getenv('PGVECTOR_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd7c6c153ece14c6 Environment-variable access.
repo/backend/open_webui/config.py:670
PGVECTOR_POOL_MAX_OVERFLOW = os.getenv('PGVECTOR_POOL_MAX_OVERFLOW', 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #849ea58000bf21df Environment-variable access.
repo/backend/open_webui/config.py:680
PGVECTOR_POOL_TIMEOUT = os.getenv('PGVECTOR_POOL_TIMEOUT', 30)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed96252867228a00 Environment-variable access.
repo/backend/open_webui/config.py:690
PGVECTOR_POOL_RECYCLE = os.getenv('PGVECTOR_POOL_RECYCLE', 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b2de800381eec4c9 Environment-variable access.
repo/backend/open_webui/config.py:700
PGVECTOR_INDEX_METHOD = os.getenv('PGVECTOR_INDEX_METHOD', '').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53ff7d4bb053b8aa Environment-variable access.
repo/backend/open_webui/config.py:704
PGVECTOR_HNSW_M = os.getenv('PGVECTOR_HNSW_M', 16)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53df556e7a961bc4 Environment-variable access.
repo/backend/open_webui/config.py:714
PGVECTOR_HNSW_EF_CONSTRUCTION = os.getenv('PGVECTOR_HNSW_EF_CONSTRUCTION', 64)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f9cb581696435d6 Environment-variable access.
repo/backend/open_webui/config.py:724
PGVECTOR_IVFFLAT_LISTS = os.getenv('PGVECTOR_IVFFLAT_LISTS', 100)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e19dec8791ce3e3 Environment-variable access.
repo/backend/open_webui/config.py:735
OPENGAUSS_DB_URL = os.getenv('OPENGAUSS_DB_URL', DATABASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c44e283e9b2326bc Environment-variable access.
repo/backend/open_webui/config.py:737
OPENGAUSS_INITIALIZE_MAX_VECTOR_LENGTH = int(os.getenv('OPENGAUSS_INITIALIZE_MAX_VECTOR_LENGTH', '1536'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #518b3c3d83459912 Environment-variable access.
repo/backend/open_webui/config.py:739
OPENGAUSS_POOL_SIZE = os.getenv('OPENGAUSS_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7bed1e89adac2577 Environment-variable access.
repo/backend/open_webui/config.py:747
OPENGAUSS_POOL_MAX_OVERFLOW = os.getenv('OPENGAUSS_POOL_MAX_OVERFLOW', 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #89af30c0fe28768a Environment-variable access.
repo/backend/open_webui/config.py:757
OPENGAUSS_POOL_TIMEOUT = os.getenv('OPENGAUSS_POOL_TIMEOUT', 30)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1ead6580c045556 Environment-variable access.
repo/backend/open_webui/config.py:767
OPENGAUSS_POOL_RECYCLE = os.getenv('OPENGAUSS_POOL_RECYCLE', 3600)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bcb9579579a42de Environment-variable access.
repo/backend/open_webui/config.py:778
PINECONE_API_KEY = os.getenv('PINECONE_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3837ac5be116a50e Environment-variable access.
repo/backend/open_webui/config.py:779
PINECONE_ENVIRONMENT = os.getenv('PINECONE_ENVIRONMENT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f699027da9032eb Environment-variable access.
repo/backend/open_webui/config.py:780
PINECONE_INDEX_NAME = os.getenv('PINECONE_INDEX_NAME', 'open-webui-index')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #197000cf7c454dfe Environment-variable access.
repo/backend/open_webui/config.py:781
PINECONE_DIMENSION = int(os.getenv('PINECONE_DIMENSION', 1536))  # or 3072, 1024, 768

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54616034cd11446c Environment-variable access.
repo/backend/open_webui/config.py:782
PINECONE_METRIC = os.getenv('PINECONE_METRIC', 'cosine')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eea37089953696f2 Environment-variable access.
repo/backend/open_webui/config.py:783
PINECONE_CLOUD = os.getenv('PINECONE_CLOUD', 'aws')  # or "gcp" or "azure"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2315f1da06cc9618 Environment-variable access.
repo/backend/open_webui/config.py:787
ORACLE_DB_USE_WALLET = os.getenv('ORACLE_DB_USE_WALLET', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6910436f1e77ab15 Environment-variable access.
repo/backend/open_webui/config.py:788
ORACLE_DB_USER = os.getenv('ORACLE_DB_USER', None)  #

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6440a21791168518 Environment-variable access.
repo/backend/open_webui/config.py:789
ORACLE_DB_PASSWORD = os.getenv('ORACLE_DB_PASSWORD', None)  #

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #745f4f7ee9bf3780 Environment-variable access.
repo/backend/open_webui/config.py:790
ORACLE_DB_DSN = os.getenv('ORACLE_DB_DSN', None)  #

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3a9675880cfffb5 Environment-variable access.
repo/backend/open_webui/config.py:791
ORACLE_WALLET_DIR = os.getenv('ORACLE_WALLET_DIR', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4bc98c1e29986bd Environment-variable access.
repo/backend/open_webui/config.py:792
ORACLE_WALLET_PASSWORD = os.getenv('ORACLE_WALLET_PASSWORD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c7c8729fa8a14a0e Environment-variable access.
repo/backend/open_webui/config.py:793
ORACLE_VECTOR_LENGTH = os.getenv('ORACLE_VECTOR_LENGTH', 768)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0685268d1801bbd9 Environment-variable access.
repo/backend/open_webui/config.py:795
ORACLE_DB_POOL_MIN = int(os.getenv('ORACLE_DB_POOL_MIN', 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2225151da1bd1b0c Environment-variable access.
repo/backend/open_webui/config.py:796
ORACLE_DB_POOL_MAX = int(os.getenv('ORACLE_DB_POOL_MAX', 10))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0383e9d641848a7 Environment-variable access.
repo/backend/open_webui/config.py:797
ORACLE_DB_POOL_INCREMENT = int(os.getenv('ORACLE_DB_POOL_INCREMENT', 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #571470f8d3b5c70d Environment-variable access.
repo/backend/open_webui/config.py:811
S3_VECTOR_BUCKET_NAME = os.getenv('S3_VECTOR_BUCKET_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8537769f3382e64b Environment-variable access.
repo/backend/open_webui/config.py:812
S3_VECTOR_REGION = os.getenv('S3_VECTOR_REGION', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0faba56998e50c06 Environment-variable access.
repo/backend/open_webui/config.py:815
VALKEY_URL = os.getenv('VALKEY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e56eb3d16e871f16 Environment-variable access.
repo/backend/open_webui/config.py:816
VALKEY_COLLECTION_PREFIX = os.getenv('VALKEY_COLLECTION_PREFIX', 'open_webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e48b64dd668aaaa2 Environment-variable access.
repo/backend/open_webui/config.py:817
VALKEY_INDEX_TYPE = os.getenv('VALKEY_INDEX_TYPE', 'HNSW').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dc4915dc0e962378 Environment-variable access.
repo/backend/open_webui/config.py:818
VALKEY_DISTANCE_METRIC = os.getenv('VALKEY_DISTANCE_METRIC', 'COSINE').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d72fe934c4abadc1 Environment-variable access.
repo/backend/open_webui/config.py:819
VALKEY_HNSW_M = int(os.getenv('VALKEY_HNSW_M', '16'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77631f4b5cfce93e Environment-variable access.
repo/backend/open_webui/config.py:820
VALKEY_HNSW_EF_CONSTRUCTION = int(os.getenv('VALKEY_HNSW_EF_CONSTRUCTION', '200'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4e2de86d3391c431 Environment-variable access.
repo/backend/open_webui/config.py:821
VALKEY_HNSW_EF_RUNTIME = int(os.getenv('VALKEY_HNSW_EF_RUNTIME', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #63a6d5d72771ca11 Environment-variable access.
repo/backend/open_webui/config.py:829
ENABLE_GOOGLE_DRIVE_INTEGRATION = os.getenv('ENABLE_GOOGLE_DRIVE_INTEGRATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #38ac4734c1e2bffe Environment-variable access.
repo/backend/open_webui/config.py:831
GOOGLE_DRIVE_CLIENT_ID = os.getenv('GOOGLE_DRIVE_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #441a7252821d2e51 Environment-variable access.
repo/backend/open_webui/config.py:833
GOOGLE_DRIVE_API_KEY = os.getenv('GOOGLE_DRIVE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a24faa47f4313b4 Environment-variable access.
repo/backend/open_webui/config.py:835
ENABLE_ONEDRIVE_INTEGRATION = os.getenv('ENABLE_ONEDRIVE_INTEGRATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d14a8c91ed74a79 Environment-variable access.
repo/backend/open_webui/config.py:838
ONEDRIVE_CLIENT_ID = os.getenv('ONEDRIVE_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fcc8706ec401b7ab Environment-variable access.
repo/backend/open_webui/config.py:839
ONEDRIVE_CLIENT_ID_PERSONAL = os.getenv('ONEDRIVE_CLIENT_ID_PERSONAL', ONEDRIVE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f889fe566fda0e86 Environment-variable access.
repo/backend/open_webui/config.py:840
ONEDRIVE_CLIENT_ID_BUSINESS = os.getenv('ONEDRIVE_CLIENT_ID_BUSINESS', ONEDRIVE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6ea84550af272d8 Environment-variable access.
repo/backend/open_webui/config.py:842
ENABLE_ONEDRIVE_PERSONAL = os.getenv('ENABLE_ONEDRIVE_PERSONAL', 'True').lower() == 'true' and bool(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #05753e46e21cd0de Environment-variable access.
repo/backend/open_webui/config.py:845
ENABLE_ONEDRIVE_BUSINESS = os.getenv('ENABLE_ONEDRIVE_BUSINESS', 'True').lower() == 'true' and bool(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7f39f3941b7015e6 Environment-variable access.
repo/backend/open_webui/config.py:849
ONEDRIVE_SHAREPOINT_URL = os.getenv('ONEDRIVE_SHAREPOINT_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c126c3f424368c2 Environment-variable access.
repo/backend/open_webui/config.py:851
ONEDRIVE_SHAREPOINT_TENANT_ID = os.getenv('ONEDRIVE_SHAREPOINT_TENANT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f836d17af8a9d39b Environment-variable access.
repo/backend/open_webui/config.py:854
CONTENT_EXTRACTION_ENGINE = os.getenv('CONTENT_EXTRACTION_ENGINE', '').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11aa6a8107f06dad Environment-variable access.
repo/backend/open_webui/config.py:856
DATALAB_MARKER_API_KEY = os.getenv('DATALAB_MARKER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c06791070de9d30b Environment-variable access.
repo/backend/open_webui/config.py:858
DATALAB_MARKER_API_BASE_URL = os.getenv('DATALAB_MARKER_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a07a60ef93cd4106 Environment-variable access.
repo/backend/open_webui/config.py:860
DATALAB_MARKER_ADDITIONAL_CONFIG = os.getenv('DATALAB_MARKER_ADDITIONAL_CONFIG', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73cb764653d1b364 Environment-variable access.
repo/backend/open_webui/config.py:862
DATALAB_MARKER_USE_LLM = os.getenv('DATALAB_MARKER_USE_LLM', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a73b54244e9870a7 Environment-variable access.
repo/backend/open_webui/config.py:864
DATALAB_MARKER_SKIP_CACHE = os.getenv('DATALAB_MARKER_SKIP_CACHE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8cf243e8346ca75 Environment-variable access.
repo/backend/open_webui/config.py:866
DATALAB_MARKER_FORCE_OCR = os.getenv('DATALAB_MARKER_FORCE_OCR', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90d609ee9565585e Environment-variable access.
repo/backend/open_webui/config.py:868
DATALAB_MARKER_PAGINATE = os.getenv('DATALAB_MARKER_PAGINATE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #823579cbb9565d6d Environment-variable access.
repo/backend/open_webui/config.py:870
DATALAB_MARKER_STRIP_EXISTING_OCR = os.getenv('DATALAB_MARKER_STRIP_EXISTING_OCR', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3fd9db15a7055939 Environment-variable access.
repo/backend/open_webui/config.py:873
    os.getenv('DATALAB_MARKER_DISABLE_IMAGE_EXTRACTION', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c07e9403bc5516b2 Environment-variable access.
repo/backend/open_webui/config.py:876
DATALAB_MARKER_FORMAT_LINES = os.getenv('DATALAB_MARKER_FORMAT_LINES', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e68eb598d38e662 Environment-variable access.
repo/backend/open_webui/config.py:878
DATALAB_MARKER_OUTPUT_FORMAT = os.getenv('DATALAB_MARKER_OUTPUT_FORMAT', 'markdown')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7912ef1423dab7aa Environment-variable access.
repo/backend/open_webui/config.py:880
MINERU_API_MODE = os.getenv('MINERU_API_MODE', 'local')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1a8c3b3fb5fbfdd Environment-variable access.
repo/backend/open_webui/config.py:882
MINERU_API_URL = os.getenv('MINERU_API_URL', 'http://localhost:8000')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ba7fe18904efd6f Environment-variable access.
repo/backend/open_webui/config.py:884
MINERU_API_TIMEOUT = os.getenv('MINERU_API_TIMEOUT', '300')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43893f70b062f59a Environment-variable access.
repo/backend/open_webui/config.py:886
MINERU_API_KEY = os.getenv('MINERU_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #859a80bb743c88b3 Environment-variable access.
repo/backend/open_webui/config.py:888
mineru_params = os.getenv('MINERU_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e32afe1a21e47e7 Environment-variable access.
repo/backend/open_webui/config.py:896
MINERU_FILE_EXTENSIONS = [ext.strip() for ext in os.getenv('MINERU_FILE_EXTENSIONS', 'pdf').split(',') if ext.strip()]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bcae9b426f88f0f2 Environment-variable access.
repo/backend/open_webui/config.py:898
EXTERNAL_DOCUMENT_LOADER_URL = os.getenv('EXTERNAL_DOCUMENT_LOADER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf524d1f1be29853 Environment-variable access.
repo/backend/open_webui/config.py:900
EXTERNAL_DOCUMENT_LOADER_API_KEY = os.getenv('EXTERNAL_DOCUMENT_LOADER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7584199f34b70230 Environment-variable access.
repo/backend/open_webui/config.py:902
external_document_loader_headers = os.getenv('EXTERNAL_DOCUMENT_LOADER_HEADERS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #987e7c4ce989fd74 Environment-variable access.
repo/backend/open_webui/config.py:912
TIKA_SERVER_URL = os.getenv('TIKA_SERVER_URL', 'http://tika:9998')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #34fb72aa9e8c4eb4 Environment-variable access.
repo/backend/open_webui/config.py:914
DOCLING_SERVER_URL = os.getenv('DOCLING_SERVER_URL', 'http://docling:5001')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e11b0603cabced0 Environment-variable access.
repo/backend/open_webui/config.py:916
DOCLING_API_KEY = os.getenv('DOCLING_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c182e4e1c5f143b Environment-variable access.
repo/backend/open_webui/config.py:918
docling_params = os.getenv('DOCLING_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fbf308225f452ad2 Environment-variable access.
repo/backend/open_webui/config.py:926
DOCUMENT_INTELLIGENCE_ENDPOINT = os.getenv('DOCUMENT_INTELLIGENCE_ENDPOINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #852f984df4fbe2a1 Environment-variable access.
repo/backend/open_webui/config.py:928
DOCUMENT_INTELLIGENCE_KEY = os.getenv('DOCUMENT_INTELLIGENCE_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b16f5172039c511 Environment-variable access.
repo/backend/open_webui/config.py:930
DOCUMENT_INTELLIGENCE_MODEL = os.getenv('DOCUMENT_INTELLIGENCE_MODEL', 'prebuilt-layout')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4ad60e9eac64e17 Environment-variable access.
repo/backend/open_webui/config.py:932
MISTRAL_OCR_API_BASE_URL = os.getenv('MISTRAL_OCR_API_BASE_URL', 'https://api.mistral.ai/v1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f1f3ce776a200284 Environment-variable access.
repo/backend/open_webui/config.py:934
MISTRAL_OCR_API_KEY = os.getenv('MISTRAL_OCR_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7fe6c31b7758dd0e Environment-variable access.
repo/backend/open_webui/config.py:936
MISTRAL_OCR_USE_BASE64 = os.getenv('MISTRAL_OCR_USE_BASE64', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b20712f5ec1493c Environment-variable access.
repo/backend/open_webui/config.py:938
PADDLEOCR_VL_BASE_URL = os.getenv('PADDLEOCR_VL_BASE_URL', 'http://localhost:8080')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f05c4cf5b91eee63 Environment-variable access.
repo/backend/open_webui/config.py:940
PADDLEOCR_VL_TOKEN = os.getenv('PADDLEOCR_VL_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e69e761e697e24d6 Environment-variable access.
repo/backend/open_webui/config.py:942
BYPASS_EMBEDDING_AND_RETRIEVAL = os.getenv('BYPASS_EMBEDDING_AND_RETRIEVAL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbf8d026338fa440 Environment-variable access.
repo/backend/open_webui/config.py:945
RAG_TOP_K = int(os.getenv('RAG_TOP_K', '3'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ffc3b0c9a23fee5 Environment-variable access.
repo/backend/open_webui/config.py:946
RAG_TOP_K_RERANKER = int(os.getenv('RAG_TOP_K_RERANKER', '3'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b9d980575f4ca01 Environment-variable access.
repo/backend/open_webui/config.py:947
RAG_RELEVANCE_THRESHOLD = float(os.getenv('RAG_RELEVANCE_THRESHOLD', '0.0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a6d68ab18852cdfd Environment-variable access.
repo/backend/open_webui/config.py:948
RAG_HYBRID_BM25_WEIGHT = float(os.getenv('RAG_HYBRID_BM25_WEIGHT', '0.5'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8b4ec7f616d31a9 Environment-variable access.
repo/backend/open_webui/config.py:950
ENABLE_RAG_HYBRID_SEARCH = os.getenv('ENABLE_RAG_HYBRID_SEARCH', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f04b5d900b62bf7 Environment-variable access.
repo/backend/open_webui/config.py:953
    os.getenv('ENABLE_RAG_HYBRID_SEARCH_ENRICHED_TEXTS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88bedebf0a21c825 Environment-variable access.
repo/backend/open_webui/config.py:956
RAG_FULL_CONTEXT = os.getenv('RAG_FULL_CONTEXT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac794efd1ea0955d Environment-variable access.
repo/backend/open_webui/config.py:958
RAG_FILE_MAX_COUNT = int(os.getenv('RAG_FILE_MAX_COUNT')) if os.getenv('RAG_FILE_MAX_COUNT') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6af67377566cf528 Environment-variable access.
repo/backend/open_webui/config.py:960
RAG_FILE_MAX_SIZE = int(os.getenv('RAG_FILE_MAX_SIZE')) if os.getenv('RAG_FILE_MAX_SIZE') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8103caac841df9ad Environment-variable access.
repo/backend/open_webui/config.py:962
RAG_FILE_CONTENT_SEARCH_MAX_CHARS = int(os.getenv('RAG_FILE_CONTENT_SEARCH_MAX_CHARS', str(64 * 1024 * 1024)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85127c86d47fd8c7 Environment-variable access.
repo/backend/open_webui/config.py:965
    int(os.getenv('FILE_IMAGE_COMPRESSION_WIDTH')) if os.getenv('FILE_IMAGE_COMPRESSION_WIDTH') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #874e55025602d86b Environment-variable access.
repo/backend/open_webui/config.py:969
    int(os.getenv('FILE_IMAGE_COMPRESSION_HEIGHT')) if os.getenv('FILE_IMAGE_COMPRESSION_HEIGHT') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #705f071682af1b03 Environment-variable access.
repo/backend/open_webui/config.py:974
    ext.strip() for ext in os.getenv('RAG_ALLOWED_FILE_EXTENSIONS', '').split(',') if ext.strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1919234e2d9f4841 Environment-variable access.
repo/backend/open_webui/config.py:977
RAG_EMBEDDING_ENGINE = os.getenv('RAG_EMBEDDING_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98d77aefc09c3caf Environment-variable access.
repo/backend/open_webui/config.py:979
PDF_EXTRACT_IMAGES = os.getenv('PDF_EXTRACT_IMAGES', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba5f4aacd99cbf7c Environment-variable access.
repo/backend/open_webui/config.py:981
PDF_LOADER_MODE = os.getenv('PDF_LOADER_MODE', 'page')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e01150575067349 Environment-variable access.
repo/backend/open_webui/config.py:983
RAG_EMBEDDING_MODEL = os.getenv('RAG_EMBEDDING_MODEL', 'sentence-transformers/all-MiniLM-L6-v2')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4befb559606f212a Environment-variable access.
repo/backend/open_webui/config.py:986
RAG_TOKENIZER_MODEL = os.getenv('RAG_TOKENIZER_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #83a84f2eaac77006 Environment-variable access.
repo/backend/open_webui/config.py:989
    not OFFLINE_MODE and os.getenv('RAG_EMBEDDING_MODEL_AUTO_UPDATE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b79e52ff6b4f1b67 Environment-variable access.
repo/backend/open_webui/config.py:992
RAG_EMBEDDING_MODEL_TRUST_REMOTE_CODE = os.getenv('RAG_EMBEDDING_MODEL_TRUST_REMOTE_CODE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #270f537083cbfda6 Environment-variable access.
repo/backend/open_webui/config.py:995
    os.getenv('RAG_EMBEDDING_BATCH_SIZE') or os.getenv('RAG_EMBEDDING_OPENAI_BATCH_SIZE', '1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aacecfd784c135a3 Environment-variable access.
repo/backend/open_webui/config.py:998
ENABLE_ASYNC_EMBEDDING = os.getenv('ENABLE_ASYNC_EMBEDDING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86f30335a903a16f Environment-variable access.
repo/backend/open_webui/config.py:1000
RAG_EMBEDDING_CONCURRENT_REQUESTS = int(os.getenv('RAG_EMBEDDING_CONCURRENT_REQUESTS', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ff05e8351785b33 Environment-variable access.
repo/backend/open_webui/config.py:1002
RAG_EMBEDDING_QUERY_PREFIX = os.getenv('RAG_EMBEDDING_QUERY_PREFIX', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58fc9308ebfa2593 Environment-variable access.
repo/backend/open_webui/config.py:1004
RAG_EMBEDDING_CONTENT_PREFIX = os.getenv('RAG_EMBEDDING_CONTENT_PREFIX', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #537cf191a63940a9 Environment-variable access.
repo/backend/open_webui/config.py:1006
RAG_EMBEDDING_PREFIX_FIELD_NAME = os.getenv('RAG_EMBEDDING_PREFIX_FIELD_NAME', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e5ae714152dd514 Environment-variable access.
repo/backend/open_webui/config.py:1008
RAG_RERANKING_ENGINE = os.getenv('RAG_RERANKING_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f062d99337c93347 Environment-variable access.
repo/backend/open_webui/config.py:1010
RAG_RERANKING_MODEL = os.getenv('RAG_RERANKING_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #daf1ff2bb06ef706 Environment-variable access.
repo/backend/open_webui/config.py:1016
    not OFFLINE_MODE and os.getenv('RAG_RERANKING_MODEL_AUTO_UPDATE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60cbaf9491465ae3 Environment-variable access.
repo/backend/open_webui/config.py:1019
RAG_RERANKING_MODEL_TRUST_REMOTE_CODE = os.getenv('RAG_RERANKING_MODEL_TRUST_REMOTE_CODE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10316560ec65bc30 Environment-variable access.
repo/backend/open_webui/config.py:1021
RAG_RERANKING_BATCH_SIZE = int(os.getenv('RAG_RERANKING_BATCH_SIZE', '32'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ef9e91792400dfc Environment-variable access.
repo/backend/open_webui/config.py:1023
RAG_EXTERNAL_RERANKER_URL = os.getenv('RAG_EXTERNAL_RERANKER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bad21edff63a427 Environment-variable access.
repo/backend/open_webui/config.py:1025
RAG_EXTERNAL_RERANKER_API_KEY = os.getenv('RAG_EXTERNAL_RERANKER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61422aeaf3858951 Environment-variable access.
repo/backend/open_webui/config.py:1027
RAG_EXTERNAL_RERANKER_TIMEOUT = os.getenv('RAG_EXTERNAL_RERANKER_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2251d0e43d130d38 Environment-variable access.
repo/backend/open_webui/config.py:1030
RAG_TEXT_SPLITTER = os.getenv('RAG_TEXT_SPLITTER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #df6d4955bce7a24a Environment-variable access.
repo/backend/open_webui/config.py:1032
ENABLE_MARKDOWN_HEADER_TEXT_SPLITTER = os.getenv('ENABLE_MARKDOWN_HEADER_TEXT_SPLITTER', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #626b0c1ed0edb63d Environment-variable access.
repo/backend/open_webui/config.py:1035
TIKTOKEN_CACHE_DIR = os.getenv('TIKTOKEN_CACHE_DIR', f'{CACHE_DIR}/tiktoken')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #653d902292a9b524 Environment-variable access.
repo/backend/open_webui/config.py:1036
TIKTOKEN_ENCODING_NAME = os.getenv('TIKTOKEN_ENCODING_NAME', 'cl100k_base')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #979f8e0f13ff71de Environment-variable access.
repo/backend/open_webui/config.py:1039
CHUNK_SIZE = int(os.getenv('CHUNK_SIZE', '1000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f457a3fde498827c Environment-variable access.
repo/backend/open_webui/config.py:1041
CHUNK_MIN_SIZE_TARGET = int(os.getenv('CHUNK_MIN_SIZE_TARGET', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1cc9f2b58fa6b2f7 Environment-variable access.
repo/backend/open_webui/config.py:1043
CHUNK_OVERLAP = int(os.getenv('CHUNK_OVERLAP', '100'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77ede2ed78f29853 Environment-variable access.
repo/backend/open_webui/config.py:1071
RAG_TEMPLATE = os.getenv('RAG_TEMPLATE', DEFAULT_RAG_TEMPLATE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #24a325e74372a976 Environment-variable access.
repo/backend/open_webui/config.py:1073
RAG_OPENAI_API_BASE_URL = os.getenv('RAG_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #69265f27fb4848e5 Environment-variable access.
repo/backend/open_webui/config.py:1074
RAG_OPENAI_API_KEY = os.getenv('RAG_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2ecb552c74dbb44 Environment-variable access.
repo/backend/open_webui/config.py:1076
RAG_AZURE_OPENAI_BASE_URL = os.getenv('RAG_AZURE_OPENAI_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c36f0985bbc32078 Environment-variable access.
repo/backend/open_webui/config.py:1077
RAG_AZURE_OPENAI_API_KEY = os.getenv('RAG_AZURE_OPENAI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bd5f60eaa8456c2c Environment-variable access.
repo/backend/open_webui/config.py:1078
RAG_AZURE_OPENAI_API_VERSION = os.getenv('RAG_AZURE_OPENAI_API_VERSION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fda0c96ee7be8739 Environment-variable access.
repo/backend/open_webui/config.py:1080
RAG_OLLAMA_BASE_URL = os.getenv('RAG_OLLAMA_BASE_URL', OLLAMA_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ddaf5f06734814e Environment-variable access.
repo/backend/open_webui/config.py:1082
RAG_OLLAMA_API_KEY = os.getenv('RAG_OLLAMA_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e842ed4746b4bd0 Environment-variable access.
repo/backend/open_webui/config.py:1086
    os.getenv(
        'ENABLE_LOCAL_WEB_FETCH',
        os.getenv('ENABLE_RAG_LOCAL_WEB_FETCH', 'False'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be759e5557ac2de4 Environment-variable access.
repo/backend/open_webui/config.py:1088
        os.getenv('ENABLE_RAG_LOCAL_WEB_FETCH', 'False'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f0a90e69a0938497 Environment-variable access.
repo/backend/open_webui/config.py:1104
web_fetch_filter_list = os.getenv('WEB_FETCH_FILTER_LIST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4bcb1a2e9bb1a23 Environment-variable access.
repo/backend/open_webui/config.py:1113
YOUTUBE_LOADER_LANGUAGE = os.getenv('YOUTUBE_LOADER_LANGUAGE', 'en').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8272b21c7c3ec7ba Environment-variable access.
repo/backend/open_webui/config.py:1115
YOUTUBE_LOADER_PROXY_URL = os.getenv('YOUTUBE_LOADER_PROXY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5eefb72ada1097e2 Environment-variable access.
repo/backend/open_webui/config.py:1122
ENABLE_WEB_SEARCH = os.getenv('ENABLE_WEB_SEARCH', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a7e091bdd35a545 Environment-variable access.
repo/backend/open_webui/config.py:1124
ENABLE_WEB_SEARCH_CONFIRMATION = os.getenv('ENABLE_WEB_SEARCH_CONFIRMATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb2bfdca0179c01d Environment-variable access.
repo/backend/open_webui/config.py:1126
WEB_SEARCH_CONFIRMATION_CONTENT = os.getenv(
    'WEB_SEARCH_CONFIRMATION_CONTENT',
    'Your query will be sent to the configured web search provider.',
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6fb29d2e7a7e6d8 Environment-variable access.
repo/backend/open_webui/config.py:1131
WEB_SEARCH_ENGINE = os.getenv('WEB_SEARCH_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b11b349e929c3a0 Environment-variable access.
repo/backend/open_webui/config.py:1134
    os.getenv('BYPASS_WEB_SEARCH_EMBEDDING_AND_RETRIEVAL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #792bfb8127727132 Environment-variable access.
repo/backend/open_webui/config.py:1138
BYPASS_WEB_SEARCH_WEB_LOADER = os.getenv('BYPASS_WEB_SEARCH_WEB_LOADER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1740a72eb4e4befd Environment-variable access.
repo/backend/open_webui/config.py:1140
WEB_SEARCH_RESULT_COUNT = int(os.getenv('WEB_SEARCH_RESULT_COUNT', '3'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d06887b7e833bca Environment-variable access.
repo/backend/open_webui/config.py:1144
    web_search_domain_filter_list = json.loads(os.getenv('WEB_SEARCH_DOMAIN_FILTER_LIST', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40b87f1b0f5dcadc Environment-variable access.
repo/backend/open_webui/config.py:1157
WEB_SEARCH_CONCURRENT_REQUESTS = int(os.getenv('WEB_SEARCH_CONCURRENT_REQUESTS', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72b127f7b8a62f3e Environment-variable access.
repo/backend/open_webui/config.py:1160
    int(os.getenv('WEB_FETCH_MAX_CONTENT_LENGTH')) if os.getenv('WEB_FETCH_MAX_CONTENT_LENGTH') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16925a46705c8476 Environment-variable access.
repo/backend/open_webui/config.py:1163
WEB_LOADER_ENGINE = os.getenv('WEB_LOADER_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae1557a41a6fa07b Environment-variable access.
repo/backend/open_webui/config.py:1166
WEB_LOADER_CONCURRENT_REQUESTS = int(os.getenv('WEB_LOADER_CONCURRENT_REQUESTS', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #153263a4f3303dfa Environment-variable access.
repo/backend/open_webui/config.py:1168
WEB_LOADER_TIMEOUT = os.getenv('WEB_LOADER_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e194fbac7489940d Environment-variable access.
repo/backend/open_webui/config.py:1171
ENABLE_WEB_LOADER_SSL_VERIFICATION = os.getenv('ENABLE_WEB_LOADER_SSL_VERIFICATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40cb3034eb2901a3 Environment-variable access.
repo/backend/open_webui/config.py:1173
WEB_SEARCH_TRUST_ENV = os.getenv('WEB_SEARCH_TRUST_ENV', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d5e7e9d18e67f05 Environment-variable access.
repo/backend/open_webui/config.py:1176
OLLAMA_CLOUD_WEB_SEARCH_API_KEY = os.getenv('OLLAMA_CLOUD_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd7ed223e01e76a3 Environment-variable access.
repo/backend/open_webui/config.py:1178
SEARXNG_QUERY_URL = os.getenv('SEARXNG_QUERY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8febddc5e940eacf Environment-variable access.
repo/backend/open_webui/config.py:1180
SEARXNG_LANGUAGE = os.getenv('SEARXNG_LANGUAGE', 'all')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b4e3383c8e7a6643 Environment-variable access.
repo/backend/open_webui/config.py:1182
YACY_QUERY_URL = os.getenv('YACY_QUERY_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a43fc698dafdd00a Environment-variable access.
repo/backend/open_webui/config.py:1184
YACY_USERNAME = os.getenv('YACY_USERNAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e23fc256009274c3 Environment-variable access.
repo/backend/open_webui/config.py:1186
YACY_PASSWORD = os.getenv('YACY_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6a241e092c1d05b Environment-variable access.
repo/backend/open_webui/config.py:1188
GOOGLE_PSE_API_KEY = os.getenv('GOOGLE_PSE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd286f6ea023ce3f Environment-variable access.
repo/backend/open_webui/config.py:1190
GOOGLE_PSE_ENGINE_ID = os.getenv('GOOGLE_PSE_ENGINE_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9144ff8bf7e4eda Environment-variable access.
repo/backend/open_webui/config.py:1192
BRAVE_SEARCH_API_KEY = os.getenv('BRAVE_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b86ad51c462b43b Environment-variable access.
repo/backend/open_webui/config.py:1194
BRAVE_SEARCH_CONTEXT_TOKENS = int(os.getenv('BRAVE_SEARCH_CONTEXT_TOKENS', '8192'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81f2ce34d57c0ee6 Environment-variable access.
repo/backend/open_webui/config.py:1196
KAGI_SEARCH_API_KEY = os.getenv('KAGI_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a9b98511586c8715 Environment-variable access.
repo/backend/open_webui/config.py:1198
MOJEEK_SEARCH_API_KEY = os.getenv('MOJEEK_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7005c8d7d0e00a97 Environment-variable access.
repo/backend/open_webui/config.py:1200
BOCHA_SEARCH_API_KEY = os.getenv('BOCHA_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46f7d8f65df5b626 Environment-variable access.
repo/backend/open_webui/config.py:1202
SERPSTACK_API_KEY = os.getenv('SERPSTACK_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a4876adb4724332 Environment-variable access.
repo/backend/open_webui/config.py:1204
SERPSTACK_HTTPS = os.getenv('SERPSTACK_HTTPS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e3a80b302a5d932 Environment-variable access.
repo/backend/open_webui/config.py:1206
SERPER_API_KEY = os.getenv('SERPER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f83d5fcdd87df3c1 Environment-variable access.
repo/backend/open_webui/config.py:1208
SERPLY_API_KEY = os.getenv('SERPLY_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #88120933490e6718 Environment-variable access.
repo/backend/open_webui/config.py:1210
SERPHOUSE_API_KEY = os.getenv('SERPHOUSE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a4b24f9aa04704e0 Environment-variable access.
repo/backend/open_webui/config.py:1212
SERPHOUSE_DOMAIN = os.getenv('SERPHOUSE_DOMAIN', 'google.com')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #552e07cedf367cfa Environment-variable access.
repo/backend/open_webui/config.py:1214
DDGS_BACKEND = os.getenv('DDGS_BACKEND', 'auto')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfad6de27d2a424c Environment-variable access.
repo/backend/open_webui/config.py:1216
JINA_API_KEY = os.getenv('JINA_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #faafec748f5ddae9 Environment-variable access.
repo/backend/open_webui/config.py:1218
JINA_API_BASE_URL = os.getenv('JINA_API_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cc4b7bbe0c07852 Environment-variable access.
repo/backend/open_webui/config.py:1220
SEARCHAPI_API_KEY = os.getenv('SEARCHAPI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d224764500f3021 Environment-variable access.
repo/backend/open_webui/config.py:1222
SEARCHAPI_ENGINE = os.getenv('SEARCHAPI_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d919ba16106c861 Environment-variable access.
repo/backend/open_webui/config.py:1224
SERPAPI_API_KEY = os.getenv('SERPAPI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a0fb91609646ed3b Environment-variable access.
repo/backend/open_webui/config.py:1226
SERPAPI_ENGINE = os.getenv('SERPAPI_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f5a02e0eda8bb9b Environment-variable access.
repo/backend/open_webui/config.py:1228
BING_SEARCH_V7_ENDPOINT = os.getenv('BING_SEARCH_V7_ENDPOINT', 'https://api.bing.microsoft.com/v7.0/search')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ee23a5673699a9f Environment-variable access.
repo/backend/open_webui/config.py:1230
BING_SEARCH_V7_SUBSCRIPTION_KEY = os.getenv('BING_SEARCH_V7_SUBSCRIPTION_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84a086cca14a45ab Environment-variable access.
repo/backend/open_webui/config.py:1232
AZURE_AI_SEARCH_API_KEY = os.getenv('AZURE_AI_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97d5521441997d27 Environment-variable access.
repo/backend/open_webui/config.py:1234
AZURE_AI_SEARCH_ENDPOINT = os.getenv('AZURE_AI_SEARCH_ENDPOINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a462e8dbbf8729fb Environment-variable access.
repo/backend/open_webui/config.py:1236
AZURE_AI_SEARCH_INDEX_NAME = os.getenv('AZURE_AI_SEARCH_INDEX_NAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1e933e31f61ba751 Environment-variable access.
repo/backend/open_webui/config.py:1238
EXA_API_KEY = os.getenv('EXA_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aaebbfae0c4adb46 Environment-variable access.
repo/backend/open_webui/config.py:1240
PERPLEXITY_API_KEY = os.getenv('PERPLEXITY_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #58904b7a140c9965 Environment-variable access.
repo/backend/open_webui/config.py:1242
PERPLEXITY_MODEL = os.getenv('PERPLEXITY_MODEL', 'sonar')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f18d375aafbd980 Environment-variable access.
repo/backend/open_webui/config.py:1244
PERPLEXITY_SEARCH_CONTEXT_USAGE = os.getenv('PERPLEXITY_SEARCH_CONTEXT_USAGE', 'medium')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd9d2b9730ffd96e Environment-variable access.
repo/backend/open_webui/config.py:1246
PERPLEXITY_SEARCH_API_URL = os.getenv('PERPLEXITY_SEARCH_API_URL', 'https://api.perplexity.ai/search')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f169b6fd5ae77168 Environment-variable access.
repo/backend/open_webui/config.py:1248
MICROSOFT_WEB_IQ_API_BASE_URL = os.getenv('MICROSOFT_WEB_IQ_API_BASE_URL', 'https://api.microsoft.ai/v3')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8768edc09f446723 Environment-variable access.
repo/backend/open_webui/config.py:1250
MICROSOFT_WEB_IQ_API_KEY = os.getenv('MICROSOFT_WEB_IQ_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55454469a0453c8c Environment-variable access.
repo/backend/open_webui/config.py:1252
MICROSOFT_WEB_IQ_LANGUAGE = os.getenv('MICROSOFT_WEB_IQ_LANGUAGE', 'en')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f3106066c2aabe7 Environment-variable access.
repo/backend/open_webui/config.py:1254
SOUGOU_API_SID = os.getenv('SOUGOU_API_SID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cfd94d6bfde9449e Environment-variable access.
repo/backend/open_webui/config.py:1256
SOUGOU_API_SK = os.getenv('SOUGOU_API_SK', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85bdee2a1282c863 Environment-variable access.
repo/backend/open_webui/config.py:1258
TAVILY_API_KEY = os.getenv('TAVILY_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bacb1939032a9cd Environment-variable access.
repo/backend/open_webui/config.py:1260
TAVILY_EXTRACT_DEPTH = os.getenv('TAVILY_EXTRACT_DEPTH', 'basic')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba535c4d9494a5af Environment-variable access.
repo/backend/open_webui/config.py:1262
PLAYWRIGHT_WS_URL = os.getenv('PLAYWRIGHT_WS_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19cafefc0f5db35f Environment-variable access.
repo/backend/open_webui/config.py:1264
PLAYWRIGHT_TIMEOUT = int(os.getenv('PLAYWRIGHT_TIMEOUT', '10000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fe5ea440d4315e42 Environment-variable access.
repo/backend/open_webui/config.py:1266
FIRECRAWL_API_KEY = os.getenv('FIRECRAWL_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #72f3e6499d1dc7b7 Environment-variable access.
repo/backend/open_webui/config.py:1268
FIRECRAWL_API_BASE_URL = os.getenv('FIRECRAWL_API_BASE_URL', 'https://api.firecrawl.dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #77293911e55dd218 Environment-variable access.
repo/backend/open_webui/config.py:1270
FIRECRAWL_TIMEOUT = os.getenv('FIRECRAWL_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc09c6c4f7a8006d Environment-variable access.
repo/backend/open_webui/config.py:1272
EXTERNAL_WEB_SEARCH_URL = os.getenv('EXTERNAL_WEB_SEARCH_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #55d8a51f7272da3f Environment-variable access.
repo/backend/open_webui/config.py:1274
EXTERNAL_WEB_SEARCH_API_KEY = os.getenv('EXTERNAL_WEB_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed3c042720e426ac Environment-variable access.
repo/backend/open_webui/config.py:1276
EXTERNAL_WEB_LOADER_URL = os.getenv('EXTERNAL_WEB_LOADER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2334b607e2f01d8b Environment-variable access.
repo/backend/open_webui/config.py:1278
EXTERNAL_WEB_LOADER_API_KEY = os.getenv('EXTERNAL_WEB_LOADER_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71d781fb3e587a8e Environment-variable access.
repo/backend/open_webui/config.py:1280
YANDEX_WEB_SEARCH_URL = os.getenv('YANDEX_WEB_SEARCH_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a22cc6babf32b4c8 Environment-variable access.
repo/backend/open_webui/config.py:1282
YANDEX_WEB_SEARCH_API_KEY = os.getenv('YANDEX_WEB_SEARCH_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db8e46bad56b8e4c Environment-variable access.
repo/backend/open_webui/config.py:1284
YANDEX_WEB_SEARCH_CONFIG = os.getenv('YANDEX_WEB_SEARCH_CONFIG', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a507ae15e6fe007 Environment-variable access.
repo/backend/open_webui/config.py:1286
YOUCOM_API_KEY = os.getenv('YOUCOM_API_KEY', os.getenv('YDC_API_KEY', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d728863967d87022 Environment-variable access.
repo/backend/open_webui/config.py:1288
LINKUP_API_KEY = os.getenv('LINKUP_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #638ae7e0a951524d Environment-variable access.
repo/backend/open_webui/config.py:1290
linkup_search_params = os.getenv('LINKUP_SEARCH_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #acdefbde0c7af392 Environment-variable access.
repo/backend/open_webui/config.py:1302
ENABLE_IMAGE_GENERATION = os.getenv('ENABLE_IMAGE_GENERATION', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ccaed8a42f241437 Environment-variable access.
repo/backend/open_webui/config.py:1304
IMAGE_GENERATION_ENGINE = os.getenv('IMAGE_GENERATION_ENGINE', 'openai')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f1532cd8d917a46 Environment-variable access.
repo/backend/open_webui/config.py:1306
IMAGE_GENERATION_MODEL = os.getenv('IMAGE_GENERATION_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #079f411628e757c9 Environment-variable access.
repo/backend/open_webui/config.py:1309
IMAGE_AUTO_SIZE_MODELS_REGEX_PATTERN = os.getenv('IMAGE_AUTO_SIZE_MODELS_REGEX_PATTERN', '^gpt-image')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e3fc3c08e608599 Environment-variable access.
repo/backend/open_webui/config.py:1312
IMAGE_URL_RESPONSE_MODELS_REGEX_PATTERN = os.getenv('IMAGE_URL_RESPONSE_MODELS_REGEX_PATTERN', '^gpt-image')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98f6564968e26207 Environment-variable access.
repo/backend/open_webui/config.py:1314
IMAGE_SIZE = os.getenv('IMAGE_SIZE', '512x512')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d20d0c9dc7de7836 Environment-variable access.
repo/backend/open_webui/config.py:1316
IMAGE_STEPS = int(os.getenv('IMAGE_STEPS', 50))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c8eae3a2b55b226 Environment-variable access.
repo/backend/open_webui/config.py:1318
ENABLE_IMAGE_PROMPT_GENERATION = os.getenv('ENABLE_IMAGE_PROMPT_GENERATION', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #33e635701eb70406 Environment-variable access.
repo/backend/open_webui/config.py:1320
AUTOMATIC1111_BASE_URL = os.getenv('AUTOMATIC1111_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #325c4b9156387570 Environment-variable access.
repo/backend/open_webui/config.py:1321
AUTOMATIC1111_API_AUTH = os.getenv('AUTOMATIC1111_API_AUTH', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1df3f1c129dafc9d Environment-variable access.
repo/backend/open_webui/config.py:1323
automatic1111_params = os.getenv('AUTOMATIC1111_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f43e5bf7bd29301 Environment-variable access.
repo/backend/open_webui/config.py:1331
COMFYUI_BASE_URL = os.getenv('COMFYUI_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e503862f8a4e31ef Environment-variable access.
repo/backend/open_webui/config.py:1333
COMFYUI_API_KEY = os.getenv('COMFYUI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9968c7b96d5d6638 Environment-variable access.
repo/backend/open_webui/config.py:1446
COMFYUI_WORKFLOW = os.getenv('COMFYUI_WORKFLOW', COMFYUI_DEFAULT_WORKFLOW)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #98a9de56ce905f1a Environment-variable access.
repo/backend/open_webui/config.py:1448
comfyui_workflow_nodes = os.getenv('COMFYUI_WORKFLOW_NODES', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #455893892dffc2b7 Environment-variable access.
repo/backend/open_webui/config.py:1456
IMAGES_OPENAI_API_BASE_URL = os.getenv('IMAGES_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fac454829e7e6dd1 Environment-variable access.
repo/backend/open_webui/config.py:1457
IMAGES_OPENAI_API_VERSION = os.getenv('IMAGES_OPENAI_API_VERSION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #caa1d6e9c843a8ab Environment-variable access.
repo/backend/open_webui/config.py:1459
IMAGES_OPENAI_API_KEY = os.getenv('IMAGES_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb12eed0b3b59858 Environment-variable access.
repo/backend/open_webui/config.py:1461
images_openai_params = os.getenv('IMAGES_OPENAI_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e41e612cdc167ff Environment-variable access.
repo/backend/open_webui/config.py:1471
IMAGES_GEMINI_API_BASE_URL = os.getenv('IMAGES_GEMINI_API_BASE_URL', GEMINI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19fef7515c66ba1b Environment-variable access.
repo/backend/open_webui/config.py:1472
IMAGES_GEMINI_API_KEY = os.getenv('IMAGES_GEMINI_API_KEY', GEMINI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f6ab24bc0b9f88e7 Environment-variable access.
repo/backend/open_webui/config.py:1474
IMAGES_GEMINI_ENDPOINT_METHOD = os.getenv('IMAGES_GEMINI_ENDPOINT_METHOD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131360d22e1e8406 Environment-variable access.
repo/backend/open_webui/config.py:1476
ENABLE_IMAGE_EDIT = os.getenv('ENABLE_IMAGE_EDIT', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9ff616c90ce1efe9 Environment-variable access.
repo/backend/open_webui/config.py:1478
IMAGE_EDIT_ENGINE = os.getenv('IMAGE_EDIT_ENGINE', 'openai')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #66a87355669fb290 Environment-variable access.
repo/backend/open_webui/config.py:1480
IMAGE_EDIT_MODEL = os.getenv('IMAGE_EDIT_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbabee7356aeaa3c Environment-variable access.
repo/backend/open_webui/config.py:1482
IMAGE_EDIT_SIZE = os.getenv('IMAGE_EDIT_SIZE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d874d17b8294591b Environment-variable access.
repo/backend/open_webui/config.py:1484
ENABLE_OPENAI_IMAGE_EDIT_NORMALIZATION = os.getenv('ENABLE_OPENAI_IMAGE_EDIT_NORMALIZATION', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b848eed5c1525ec Environment-variable access.
repo/backend/open_webui/config.py:1486
IMAGES_EDIT_OPENAI_API_BASE_URL = os.getenv('IMAGES_EDIT_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc346616e30c2040 Environment-variable access.
repo/backend/open_webui/config.py:1487
IMAGES_EDIT_OPENAI_API_VERSION = os.getenv('IMAGES_EDIT_OPENAI_API_VERSION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #298cb0b86e4b4ad2 Environment-variable access.
repo/backend/open_webui/config.py:1489
IMAGES_EDIT_OPENAI_API_KEY = os.getenv('IMAGES_EDIT_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #327d2a31db0ac84d Environment-variable access.
repo/backend/open_webui/config.py:1491
IMAGES_EDIT_GEMINI_API_BASE_URL = os.getenv('IMAGES_EDIT_GEMINI_API_BASE_URL', GEMINI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac6c34c4d5a11830 Environment-variable access.
repo/backend/open_webui/config.py:1492
IMAGES_EDIT_GEMINI_API_KEY = os.getenv('IMAGES_EDIT_GEMINI_API_KEY', GEMINI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb64667dbf5114a6 Environment-variable access.
repo/backend/open_webui/config.py:1495
IMAGES_EDIT_COMFYUI_BASE_URL = os.getenv('IMAGES_EDIT_COMFYUI_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a27dd041067a397e Environment-variable access.
repo/backend/open_webui/config.py:1496
IMAGES_EDIT_COMFYUI_API_KEY = os.getenv('IMAGES_EDIT_COMFYUI_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c40aaabb3bffb865 Environment-variable access.
repo/backend/open_webui/config.py:1498
IMAGES_EDIT_COMFYUI_WORKFLOW = os.getenv('IMAGES_EDIT_COMFYUI_WORKFLOW', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8df8bbf3eaf8514d Environment-variable access.
repo/backend/open_webui/config.py:1500
images_edit_comfyui_workflow_nodes = os.getenv('IMAGES_EDIT_COMFYUI_WORKFLOW_NODES', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08a621a7dc1469c9 Environment-variable access.
repo/backend/open_webui/config.py:1513
WHISPER_MODEL = os.getenv('WHISPER_MODEL', 'base')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cb640c3a5709787 Environment-variable access.
repo/backend/open_webui/config.py:1515
WHISPER_COMPUTE_TYPE = os.getenv('WHISPER_COMPUTE_TYPE', 'int8')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8b47cfef4f0999c3 Environment-variable access.
repo/backend/open_webui/config.py:1516
WHISPER_MODEL_DIR = os.getenv('WHISPER_MODEL_DIR', f'{CACHE_DIR}/whisper/models')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a094fd1bb764ed51 Environment-variable access.
repo/backend/open_webui/config.py:1517
WHISPER_MODEL_AUTO_UPDATE = not OFFLINE_MODE and os.getenv('WHISPER_MODEL_AUTO_UPDATE', '').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fab84ea1b25558c0 Environment-variable access.
repo/backend/open_webui/config.py:1519
WHISPER_VAD_FILTER = os.getenv('WHISPER_VAD_FILTER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f89c536613fc0e12 Environment-variable access.
repo/backend/open_webui/config.py:1521
WHISPER_MULTILINGUAL = os.getenv('WHISPER_MULTILINGUAL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e186b8806d159fff Environment-variable access.
repo/backend/open_webui/config.py:1523
WHISPER_LANGUAGE = os.getenv('WHISPER_LANGUAGE', '').lower() or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2269b30cfd066b1e Environment-variable access.
repo/backend/open_webui/config.py:1526
DEEPGRAM_API_KEY = os.getenv('DEEPGRAM_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f92ecc3c606b0b4 Environment-variable access.
repo/backend/open_webui/config.py:1529
ELEVENLABS_API_BASE_URL = os.getenv('ELEVENLABS_API_BASE_URL', 'https://api.elevenlabs.io')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e472c6d201f0e155 Environment-variable access.
repo/backend/open_webui/config.py:1531
AUDIO_STT_OPENAI_API_BASE_URL = os.getenv('AUDIO_STT_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fec1acdb2bba89d5 Environment-variable access.
repo/backend/open_webui/config.py:1533
AUDIO_STT_OPENAI_API_KEY = os.getenv('AUDIO_STT_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b94857c04aef4081 Environment-variable access.
repo/backend/open_webui/config.py:1535
AUDIO_STT_OPENAI_API_REQUEST_FORMAT = os.getenv('AUDIO_STT_OPENAI_API_REQUEST_FORMAT', 'multipart')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b1c0400c8102ac54 Environment-variable access.
repo/backend/open_webui/config.py:1537
AUDIO_STT_ENGINE = os.getenv('AUDIO_STT_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #be630a289cb5c7b8 Environment-variable access.
repo/backend/open_webui/config.py:1539
AUDIO_STT_MODEL = os.getenv('AUDIO_STT_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57527fd425b0abdc Environment-variable access.
repo/backend/open_webui/config.py:1543
    for content_type in os.getenv('AUDIO_STT_SUPPORTED_CONTENT_TYPES', '').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a67012a3a84635a Environment-variable access.
repo/backend/open_webui/config.py:1549
    for ext in os.getenv(
        'AUDIO_STT_ALLOWED_EXTENSIONS',
        'mp3,wav,m4a,webm,ogg,flac,mp4,mpga,mpeg',
    ).split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1c691a04ea9d1a27 Environment-variable access.
repo/backend/open_webui/config.py:1556
AUDIO_STT_AZURE_API_KEY = os.getenv('AUDIO_STT_AZURE_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c808530ce8a72b5c Environment-variable access.
repo/backend/open_webui/config.py:1558
AUDIO_STT_AZURE_REGION = os.getenv('AUDIO_STT_AZURE_REGION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6bf7706f77e37d17 Environment-variable access.
repo/backend/open_webui/config.py:1560
AUDIO_STT_AZURE_LOCALES = os.getenv('AUDIO_STT_AZURE_LOCALES', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e03dc2673d9b0b3a Environment-variable access.
repo/backend/open_webui/config.py:1562
AUDIO_STT_AZURE_BASE_URL = os.getenv('AUDIO_STT_AZURE_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95608bbec1df57b3 Environment-variable access.
repo/backend/open_webui/config.py:1564
AUDIO_STT_AZURE_MAX_SPEAKERS = os.getenv('AUDIO_STT_AZURE_MAX_SPEAKERS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a8ab2bb1ec598d6 Environment-variable access.
repo/backend/open_webui/config.py:1566
AUDIO_STT_MISTRAL_API_KEY = os.getenv('AUDIO_STT_MISTRAL_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e2bbef73920e410 Environment-variable access.
repo/backend/open_webui/config.py:1568
AUDIO_STT_MISTRAL_API_BASE_URL = os.getenv('AUDIO_STT_MISTRAL_API_BASE_URL', 'https://api.mistral.ai/v1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bfa9d1116fc30aef Environment-variable access.
repo/backend/open_webui/config.py:1570
AUDIO_STT_MISTRAL_USE_CHAT_COMPLETIONS = os.getenv('AUDIO_STT_MISTRAL_USE_CHAT_COMPLETIONS', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d88ff747b2a28c8e Environment-variable access.
repo/backend/open_webui/config.py:1572
AUDIO_TTS_OPENAI_API_BASE_URL = os.getenv('AUDIO_TTS_OPENAI_API_BASE_URL', OPENAI_API_BASE_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c3b730c71033efef Environment-variable access.
repo/backend/open_webui/config.py:1573
AUDIO_TTS_OPENAI_API_KEY = os.getenv('AUDIO_TTS_OPENAI_API_KEY', OPENAI_API_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d67200af585baa65 Environment-variable access.
repo/backend/open_webui/config.py:1575
audio_tts_openai_params = os.getenv('AUDIO_TTS_OPENAI_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fc8c35fbc03b1995 Environment-variable access.
repo/backend/open_webui/config.py:1584
AUDIO_TTS_API_KEY = os.getenv('AUDIO_TTS_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f2356d06675f2037 Environment-variable access.
repo/backend/open_webui/config.py:1586
AUDIO_TTS_ENGINE = os.getenv('AUDIO_TTS_ENGINE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e47714fea935703e Environment-variable access.
repo/backend/open_webui/config.py:1589
AUDIO_TTS_MODEL = os.getenv('AUDIO_TTS_MODEL', 'tts-1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3ff69b942af2e8d5 Environment-variable access.
repo/backend/open_webui/config.py:1591
AUDIO_TTS_VOICE = os.getenv('AUDIO_TTS_VOICE', 'alloy')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7e49315f9a3f493 Environment-variable access.
repo/backend/open_webui/config.py:1593
AUDIO_TTS_SPLIT_ON = os.getenv('AUDIO_TTS_SPLIT_ON', 'punctuation')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #325e0cac3fb1073b Environment-variable access.
repo/backend/open_webui/config.py:1595
AUDIO_TTS_AZURE_SPEECH_REGION = os.getenv('AUDIO_TTS_AZURE_SPEECH_REGION', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #91e834d942fdd18a Environment-variable access.
repo/backend/open_webui/config.py:1597
AUDIO_TTS_AZURE_SPEECH_BASE_URL = os.getenv('AUDIO_TTS_AZURE_SPEECH_BASE_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44873cf4a0258d92 Environment-variable access.
repo/backend/open_webui/config.py:1599
AUDIO_TTS_AZURE_SPEECH_OUTPUT_FORMAT = os.getenv(
    'AUDIO_TTS_AZURE_SPEECH_OUTPUT_FORMAT', 'audio-24khz-160kbitrate-mono-mp3'
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d99f268546d9e525 Environment-variable access.
repo/backend/open_webui/config.py:1603
AUDIO_TTS_MISTRAL_API_KEY = os.getenv('AUDIO_TTS_MISTRAL_API_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6721335ab7477630 Environment-variable access.
repo/backend/open_webui/config.py:1605
AUDIO_TTS_MISTRAL_API_BASE_URL = os.getenv('AUDIO_TTS_MISTRAL_API_BASE_URL', 'https://api.mistral.ai/v1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aac1513e2308a09b Environment-variable access.
repo/backend/open_webui/config.py:1612
WEBUI_URL = os.getenv('WEBUI_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e7b4dcfef0275026 Environment-variable access.
repo/backend/open_webui/config.py:1615
ENABLE_SIGNUP = False if not WEBUI_AUTH else os.getenv('ENABLE_SIGNUP', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eff553648461d32e Environment-variable access.
repo/backend/open_webui/config.py:1617
ENABLE_LOGIN_FORM = os.getenv('ENABLE_LOGIN_FORM', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f586c3f97ccdf3cf Environment-variable access.
repo/backend/open_webui/config.py:1619
ENABLE_PASSWORD_CHANGE_FORM = os.getenv('ENABLE_PASSWORD_CHANGE_FORM', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f8c2334d6683cd82 Environment-variable access.
repo/backend/open_webui/config.py:1621
ENABLE_PASSWORD_AUTH = os.getenv('ENABLE_PASSWORD_AUTH', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #11abfb13e5a15bc8 Environment-variable access.
repo/backend/open_webui/config.py:1623
DEFAULT_LOCALE = os.getenv('DEFAULT_LOCALE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86ffd03999897426 Environment-variable access.
repo/backend/open_webui/config.py:1625
DEFAULT_MODELS = os.getenv('DEFAULT_MODELS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ff7662a02129743 Environment-variable access.
repo/backend/open_webui/config.py:1627
DEFAULT_PINNED_MODELS = os.getenv('DEFAULT_PINNED_MODELS', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c4ecbd0c2e415452 Environment-variable access.
repo/backend/open_webui/config.py:1630
    default_prompt_suggestions = json.loads(os.getenv('DEFAULT_PROMPT_SUGGESTIONS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7a07d5ff8b53de2 Environment-variable access.
repo/backend/open_webui/config.py:1670
    default_model_metadata = json.loads(os.getenv('DEFAULT_MODEL_METADATA', '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb564d4d9aea3e9f Environment-variable access.
repo/backend/open_webui/config.py:1678
    default_model_params = json.loads(os.getenv('DEFAULT_MODEL_PARAMS', '{}'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #099f030d691e66ea Environment-variable access.
repo/backend/open_webui/config.py:1685
DEFAULT_USER_ROLE = os.getenv('DEFAULT_USER_ROLE', 'pending')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dcd34fe5b022dbf1 Environment-variable access.
repo/backend/open_webui/config.py:1687
DEFAULT_GROUP_ID = os.getenv('DEFAULT_GROUP_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b262aebbad87bac Environment-variable access.
repo/backend/open_webui/config.py:1689
PENDING_USER_OVERLAY_TITLE = os.getenv('PENDING_USER_OVERLAY_TITLE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c938ba83789d2289 Environment-variable access.
repo/backend/open_webui/config.py:1691
PENDING_USER_OVERLAY_CONTENT = os.getenv('PENDING_USER_OVERLAY_CONTENT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2f270d0d52fc7f61 Environment-variable access.
repo/backend/open_webui/config.py:1694
RESPONSE_WATERMARK = os.getenv('RESPONSE_WATERMARK', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65d629fa7a734abf Environment-variable access.
repo/backend/open_webui/config.py:1696
IFRAME_CSP = os.getenv('IFRAME_CSP', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #23a7328f442b8471 Environment-variable access.
repo/backend/open_webui/config.py:1699
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3199f8ddc67a5653 Environment-variable access.
repo/backend/open_webui/config.py:1703
    os.getenv('USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #504024db7c3ea81b Environment-variable access.
repo/backend/open_webui/config.py:1707
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #967696cc4cfe42c8 Environment-variable access.
repo/backend/open_webui/config.py:1711
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9fb2b379e3e3648 Environment-variable access.
repo/backend/open_webui/config.py:1715
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_ACCESS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64a914d679e8b90c Environment-variable access.
repo/backend/open_webui/config.py:1719
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c63f006c9e5e04fb Environment-variable access.
repo/backend/open_webui/config.py:1723
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d603c3ca29c45341 Environment-variable access.
repo/backend/open_webui/config.py:1727
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a743f09ab2b9e58e Environment-variable access.
repo/backend/open_webui/config.py:1731
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3988992abbcbad29 Environment-variable access.
repo/backend/open_webui/config.py:1735
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e22a1c9f8cfc8785 Environment-variable access.
repo/backend/open_webui/config.py:1739
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6e6cba645b72b157 Environment-variable access.
repo/backend/open_webui/config.py:1743
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_IMPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0fe0c41a710f1dc Environment-variable access.
repo/backend/open_webui/config.py:1747
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_EXPORT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #099d143ee089c2fe Environment-variable access.
repo/backend/open_webui/config.py:1752
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a1f487fca3c3791 Environment-variable access.
repo/backend/open_webui/config.py:1756
    os.getenv('USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2715f31d8727d936 Environment-variable access.
repo/backend/open_webui/config.py:1760
    os.getenv('USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b94357538b51b9c Environment-variable access.
repo/backend/open_webui/config.py:1764
    os.getenv('USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2d776c13164f85e7 Environment-variable access.
repo/backend/open_webui/config.py:1768
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08503b7dc82347df Environment-variable access.
repo/backend/open_webui/config.py:1772
    os.getenv('USER_PERMISSIONS_WORKSPACE_PROMPTS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efc1b0e4f730cdad Environment-variable access.
repo/backend/open_webui/config.py:1777
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d53e52c5186f4e1d Environment-variable access.
repo/backend/open_webui/config.py:1781
    os.getenv('USER_PERMISSIONS_WORKSPACE_TOOLS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8cc5946b9090913c Environment-variable access.
repo/backend/open_webui/config.py:1785
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f0fc969793e5f23 Environment-variable access.
repo/backend/open_webui/config.py:1789
    os.getenv('USER_PERMISSIONS_WORKSPACE_SKILLS_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c40bbd47fb669ef7 Environment-variable access.
repo/backend/open_webui/config.py:1793
USER_PERMISSIONS_NOTES_ALLOW_SHARING = os.getenv('USER_PERMISSIONS_NOTES_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b10bc182d106ad1f Environment-variable access.
repo/backend/open_webui/config.py:1796
    os.getenv('USER_PERMISSIONS_NOTES_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c263afd54ee93c5 Environment-variable access.
repo/backend/open_webui/config.py:1799
USER_PERMISSIONS_FOLDERS_ALLOW_SHARING = os.getenv('USER_PERMISSIONS_FOLDERS_ALLOW_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a46695a683a3576 Environment-variable access.
repo/backend/open_webui/config.py:1803
    os.getenv('USER_PERMISSIONS_CALENDAR_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2057b3640bae81c1 Environment-variable access.
repo/backend/open_webui/config.py:1807
    os.getenv('USER_PERMISSIONS_ACCESS_GRANTS_ALLOW_USERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #54209ec448c6b67e Environment-variable access.
repo/backend/open_webui/config.py:1811
USER_PERMISSIONS_CHAT_CONTROLS = os.getenv('USER_PERMISSIONS_CHAT_CONTROLS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #726e970ac845b576 Environment-variable access.
repo/backend/open_webui/config.py:1813
USER_PERMISSIONS_CHAT_VALVES = os.getenv('USER_PERMISSIONS_CHAT_VALVES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #177e72a834509b74 Environment-variable access.
repo/backend/open_webui/config.py:1815
USER_PERMISSIONS_CHAT_SYSTEM_PROMPT = os.getenv('USER_PERMISSIONS_CHAT_SYSTEM_PROMPT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7cb7360b9e78fd80 Environment-variable access.
repo/backend/open_webui/config.py:1817
USER_PERMISSIONS_CHAT_PARAMS = os.getenv('USER_PERMISSIONS_CHAT_PARAMS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14fbd587fec295ea Environment-variable access.
repo/backend/open_webui/config.py:1819
USER_PERMISSIONS_CHAT_FILE_UPLOAD = os.getenv('USER_PERMISSIONS_CHAT_FILE_UPLOAD', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7eb9e7bc149a64ae Environment-variable access.
repo/backend/open_webui/config.py:1821
USER_PERMISSIONS_CHAT_WEB_UPLOAD = os.getenv('USER_PERMISSIONS_CHAT_WEB_UPLOAD', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7189eccfa2f74adc Environment-variable access.
repo/backend/open_webui/config.py:1823
USER_PERMISSIONS_CHAT_DELETE = os.getenv('USER_PERMISSIONS_CHAT_DELETE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82c41cb6144ceab4 Environment-variable access.
repo/backend/open_webui/config.py:1825
USER_PERMISSIONS_CHAT_DELETE_MESSAGE = os.getenv('USER_PERMISSIONS_CHAT_DELETE_MESSAGE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5ceef9bc9ca0e134 Environment-variable access.
repo/backend/open_webui/config.py:1827
USER_PERMISSIONS_CHAT_CONTINUE_RESPONSE = os.getenv('USER_PERMISSIONS_CHAT_CONTINUE_RESPONSE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f6294d6b06ef3f4 Environment-variable access.
repo/backend/open_webui/config.py:1830
    os.getenv('USER_PERMISSIONS_CHAT_REGENERATE_RESPONSE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26f81d32a6ae5b87 Environment-variable access.
repo/backend/open_webui/config.py:1833
USER_PERMISSIONS_CHAT_RATE_RESPONSE = os.getenv('USER_PERMISSIONS_CHAT_RATE_RESPONSE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e06e762cd5c28a49 Environment-variable access.
repo/backend/open_webui/config.py:1835
USER_PERMISSIONS_CHAT_EDIT = os.getenv('USER_PERMISSIONS_CHAT_EDIT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e6e5591ca424aaf2 Environment-variable access.
repo/backend/open_webui/config.py:1837
USER_PERMISSIONS_CHAT_SHARE = os.getenv('USER_PERMISSIONS_CHAT_SHARE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #440aab4f7205db16 Environment-variable access.
repo/backend/open_webui/config.py:1840
    os.getenv('USER_PERMISSIONS_CHAT_ALLOW_PUBLIC_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #67eb4b429306bfc3 Environment-variable access.
repo/backend/open_webui/config.py:1843
USER_PERMISSIONS_CHAT_EXPORT = os.getenv('USER_PERMISSIONS_CHAT_EXPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #961e744d9fd94eb9 Environment-variable access.
repo/backend/open_webui/config.py:1845
USER_PERMISSIONS_CHAT_IMPORT = os.getenv('USER_PERMISSIONS_CHAT_IMPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1d93cfb74ff011be Environment-variable access.
repo/backend/open_webui/config.py:1847
USER_PERMISSIONS_CHAT_STT = os.getenv('USER_PERMISSIONS_CHAT_STT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b30c47a803061968 Environment-variable access.
repo/backend/open_webui/config.py:1849
USER_PERMISSIONS_CHAT_TTS = os.getenv('USER_PERMISSIONS_CHAT_TTS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cb153318da093de9 Environment-variable access.
repo/backend/open_webui/config.py:1851
USER_PERMISSIONS_CHAT_CALL = os.getenv('USER_PERMISSIONS_CHAT_CALL', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #10c7f2ee501e471e Environment-variable access.
repo/backend/open_webui/config.py:1853
USER_PERMISSIONS_CHAT_MULTIPLE_MODELS = os.getenv('USER_PERMISSIONS_CHAT_MULTIPLE_MODELS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #816b50f730b88bd4 Environment-variable access.
repo/backend/open_webui/config.py:1855
USER_PERMISSIONS_CHAT_TEMPORARY = os.getenv('USER_PERMISSIONS_CHAT_TEMPORARY', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c8fdbedc232beaca Environment-variable access.
repo/backend/open_webui/config.py:1858
    os.getenv('USER_PERMISSIONS_CHAT_TEMPORARY_ENFORCED', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6de1fff648e0acc1 Environment-variable access.
repo/backend/open_webui/config.py:1863
    os.getenv('USER_PERMISSIONS_FEATURES_DIRECT_TOOL_SERVERS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3cd0c01f7a362ad Environment-variable access.
repo/backend/open_webui/config.py:1866
USER_PERMISSIONS_FEATURES_WEB_SEARCH = os.getenv('USER_PERMISSIONS_FEATURES_WEB_SEARCH', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c81a1a611880b66 Environment-variable access.
repo/backend/open_webui/config.py:1869
    os.getenv('USER_PERMISSIONS_FEATURES_IMAGE_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ded26d6797db6ba5 Environment-variable access.
repo/backend/open_webui/config.py:1873
    os.getenv('USER_PERMISSIONS_FEATURES_CODE_INTERPRETER', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e84648031dae56c Environment-variable access.
repo/backend/open_webui/config.py:1876
USER_PERMISSIONS_FEATURES_FOLDERS = os.getenv('USER_PERMISSIONS_FEATURES_FOLDERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5dcd92e2df8feef8 Environment-variable access.
repo/backend/open_webui/config.py:1878
USER_PERMISSIONS_FEATURES_NOTES = os.getenv('USER_PERMISSIONS_FEATURES_NOTES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e7088d47e6abf4b Environment-variable access.
repo/backend/open_webui/config.py:1880
USER_PERMISSIONS_FEATURES_CHANNELS = os.getenv('USER_PERMISSIONS_FEATURES_CHANNELS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1bc884ee9822fe82 Environment-variable access.
repo/backend/open_webui/config.py:1882
USER_PERMISSIONS_FEATURES_API_KEYS = os.getenv('USER_PERMISSIONS_FEATURES_API_KEYS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b606464bec6d51e5 Environment-variable access.
repo/backend/open_webui/config.py:1884
USER_PERMISSIONS_FEATURES_MEMORIES = os.getenv('USER_PERMISSIONS_FEATURES_MEMORIES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57bad7a6f9f06259 Environment-variable access.
repo/backend/open_webui/config.py:1886
USER_PERMISSIONS_FEATURES_AUTOMATIONS = os.getenv('USER_PERMISSIONS_FEATURES_AUTOMATIONS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #839691b455379893 Environment-variable access.
repo/backend/open_webui/config.py:1888
USER_PERMISSIONS_FEATURES_CALENDAR = os.getenv('USER_PERMISSIONS_FEATURES_CALENDAR', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #76b1df20ad15f9f5 Environment-variable access.
repo/backend/open_webui/config.py:1891
    os.getenv('USER_PERMISSIONS_FEATURES_USER_WEBHOOKS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd4d5b12dc91bf7e Environment-variable access.
repo/backend/open_webui/config.py:1895
USER_PERMISSIONS_SETTINGS_INTERFACE = os.getenv('USER_PERMISSIONS_SETTINGS_INTERFACE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af8a72e78f8a6942 Environment-variable access.
repo/backend/open_webui/config.py:1980
ENABLE_FOLDERS = os.getenv('ENABLE_FOLDERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e767b11b65e7c166 Environment-variable access.
repo/backend/open_webui/config.py:1982
FOLDER_MAX_FILE_COUNT = os.getenv('FOLDER_MAX_FILE_COUNT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7baaf483b6b1607a Environment-variable access.
repo/backend/open_webui/config.py:1984
ENABLE_CHANNELS = os.getenv('ENABLE_CHANNELS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #97054f312320df54 Environment-variable access.
repo/backend/open_webui/config.py:1986
ENABLE_CALENDAR = os.getenv('ENABLE_CALENDAR', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2108f80e90b04ea Environment-variable access.
repo/backend/open_webui/config.py:1988
ENABLE_AUTOMATIONS = os.getenv('ENABLE_AUTOMATIONS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f7508fea3d4ab16 Environment-variable access.
repo/backend/open_webui/config.py:1990
AUTOMATION_MAX_COUNT = os.getenv('AUTOMATION_MAX_COUNT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6906da736ec5acf5 Environment-variable access.
repo/backend/open_webui/config.py:1992
AUTOMATION_MIN_INTERVAL = os.getenv('AUTOMATION_MIN_INTERVAL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c7096a6789eff4f Environment-variable access.
repo/backend/open_webui/config.py:1994
AUTOMATION_AUTH_TOKEN_EXPIRES_IN = os.getenv('AUTOMATION_AUTH_TOKEN_EXPIRES_IN', '1h')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95e41a895a4975ac Environment-variable access.
repo/backend/open_webui/config.py:1996
ENABLE_NOTES = os.getenv('ENABLE_NOTES', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fccf5ce34b92c507 Environment-variable access.
repo/backend/open_webui/config.py:1998
ENABLE_USER_STATUS = os.getenv('ENABLE_USER_STATUS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #589e22fdf0eb33ca Environment-variable access.
repo/backend/open_webui/config.py:2000
ENABLE_EVALUATION_ARENA_MODELS = os.getenv('ENABLE_EVALUATION_ARENA_MODELS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3473d2d66146c925 Environment-variable access.
repo/backend/open_webui/config.py:2002
    evaluation_arena_models = json.loads(os.getenv('EVALUATION_ARENA_MODELS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02b8b0758aa05774 Environment-variable access.
repo/backend/open_webui/config.py:2023
WEBHOOK_URL = os.getenv('WEBHOOK_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ace44dd2c007502d Environment-variable access.
repo/backend/open_webui/config.py:2025
ENABLE_ADMIN_EXPORT = os.getenv('ENABLE_ADMIN_EXPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5a442aef69a7cff1 Environment-variable access.
repo/backend/open_webui/config.py:2027
ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS = os.getenv('ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4380a10c618986f8 Environment-variable access.
repo/backend/open_webui/config.py:2030
    os.getenv(
        'BYPASS_ADMIN_ACCESS_CONTROL',
        os.getenv('ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS', 'True'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #467c7f6cfcd823ec Environment-variable access.
repo/backend/open_webui/config.py:2032
        os.getenv('ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS', 'True'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6b40081906209e8f Environment-variable access.
repo/backend/open_webui/config.py:2037
ENABLE_ADMIN_CHAT_ACCESS = os.getenv('ENABLE_ADMIN_CHAT_ACCESS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87595b72a755aa96 Environment-variable access.
repo/backend/open_webui/config.py:2039
ENABLE_ADMIN_ANALYTICS = os.getenv('ENABLE_ADMIN_ANALYTICS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b284bcf4e1c6cee Environment-variable access.
repo/backend/open_webui/config.py:2041
ENABLE_COMMUNITY_SHARING = os.getenv('ENABLE_COMMUNITY_SHARING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95b4a35b960285bd Environment-variable access.
repo/backend/open_webui/config.py:2043
ENABLE_MESSAGE_RATING = os.getenv('ENABLE_MESSAGE_RATING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f762b6738796c921 Environment-variable access.
repo/backend/open_webui/config.py:2045
ENABLE_USER_WEBHOOKS = os.getenv('ENABLE_USER_WEBHOOKS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15ba6d8d27f949ce Environment-variable access.
repo/backend/open_webui/config.py:2048
THREAD_POOL_SIZE = os.getenv('THREAD_POOL_SIZE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8abb0d2730ef434f Environment-variable access.
repo/backend/open_webui/config.py:2078
CORS_ALLOW_ORIGIN = os.getenv('CORS_ALLOW_ORIGIN', '*').split(';')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60d2a763e125649d Environment-variable access.
repo/backend/open_webui/config.py:2083
CORS_ALLOW_CUSTOM_SCHEME = os.getenv('CORS_ALLOW_CUSTOM_SCHEME', '').split(';')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a2a9877f25dab99b Environment-variable access.
repo/backend/open_webui/config.py:2104
    banners = json.loads(os.getenv('WEBUI_BANNERS', '[]'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2a8f8fda90f6c10c Environment-variable access.
repo/backend/open_webui/config.py:2113
SHOW_ADMIN_DETAILS = os.getenv('SHOW_ADMIN_DETAILS', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f3bad798cc0bead Environment-variable access.
repo/backend/open_webui/config.py:2115
ADMIN_EMAIL = os.getenv('ADMIN_EMAIL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #85b2bad9af58c3cb Environment-variable access.
repo/backend/open_webui/config.py:2123
TASK_MODEL = os.getenv('TASK_MODEL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78f9364ec3e33b92 Environment-variable access.
repo/backend/open_webui/config.py:2125
TASK_MODEL_EXTERNAL = os.getenv('TASK_MODEL_EXTERNAL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #80e3506dd4b06ccf Environment-variable access.
repo/backend/open_webui/config.py:2127
ENABLE_CONTEXT_COMPACTION = os.getenv('ENABLE_CONTEXT_COMPACTION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7217145b612feaf Environment-variable access.
repo/backend/open_webui/config.py:2129
CONTEXT_COMPACTION_TOKEN_THRESHOLD = int(os.getenv('CONTEXT_COMPACTION_TOKEN_THRESHOLD', '80000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2928cecc9f60e2ef Environment-variable access.
repo/backend/open_webui/config.py:2131
CONTEXT_COMPACTION_PROMPT_TEMPLATE = os.getenv('CONTEXT_COMPACTION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd5e913d4cb469b0 Environment-variable access.
repo/backend/open_webui/config.py:2133
TITLE_GENERATION_PROMPT_TEMPLATE = os.getenv('TITLE_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90e492d94eec3350 Environment-variable access.
repo/backend/open_webui/config.py:2159
TAGS_GENERATION_PROMPT_TEMPLATE = os.getenv('TAGS_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04b56cd16eabd13d Environment-variable access.
repo/backend/open_webui/config.py:2179
IMAGE_PROMPT_GENERATION_PROMPT_TEMPLATE = os.getenv('IMAGE_PROMPT_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #199fa4f98c81ec40 Environment-variable access.
repo/backend/open_webui/config.py:2202
FOLLOW_UP_GENERATION_PROMPT_TEMPLATE = os.getenv('FOLLOW_UP_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30b23231dbe95277 Environment-variable access.
repo/backend/open_webui/config.py:2220
ENABLE_FOLLOW_UP_GENERATION = os.getenv('ENABLE_FOLLOW_UP_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #214954934ab953ac Environment-variable access.
repo/backend/open_webui/config.py:2222
ENABLE_TAGS_GENERATION = os.getenv('ENABLE_TAGS_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #39930726782b84cf Environment-variable access.
repo/backend/open_webui/config.py:2224
ENABLE_TITLE_GENERATION = os.getenv('ENABLE_TITLE_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #822877ba9e262538 Environment-variable access.
repo/backend/open_webui/config.py:2227
ENABLE_SEARCH_QUERY_GENERATION = os.getenv('ENABLE_SEARCH_QUERY_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #612d596a3747ccfb Environment-variable access.
repo/backend/open_webui/config.py:2229
ENABLE_RETRIEVAL_QUERY_GENERATION = os.getenv('ENABLE_RETRIEVAL_QUERY_GENERATION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae42f677e4213e95 Environment-variable access.
repo/backend/open_webui/config.py:2232
QUERY_GENERATION_PROMPT_TEMPLATE = os.getenv('QUERY_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1dddeea9baf5247c Environment-variable access.
repo/backend/open_webui/config.py:2258
ENABLE_AUTOCOMPLETE_GENERATION = os.getenv('ENABLE_AUTOCOMPLETE_GENERATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eada8643af7fd4f2 Environment-variable access.
repo/backend/open_webui/config.py:2260
AUTOCOMPLETE_GENERATION_INPUT_MAX_LENGTH = int(os.getenv('AUTOCOMPLETE_GENERATION_INPUT_MAX_LENGTH', '-1'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e66f8bd9561f73a6 Environment-variable access.
repo/backend/open_webui/config.py:2262
AUTOCOMPLETE_GENERATION_PROMPT_TEMPLATE = os.getenv('AUTOCOMPLETE_GENERATION_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2e779b041f9b6276 Environment-variable access.
repo/backend/open_webui/config.py:2308
VOICE_MODE_PROMPT_TEMPLATE = os.getenv('VOICE_MODE_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e006ac3fe34e66e7 Environment-variable access.
repo/backend/open_webui/config.py:2310
ENABLE_VOICE_MODE_PROMPT = os.getenv('ENABLE_VOICE_MODE_PROMPT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d3235ecd23596ccb Environment-variable access.
repo/backend/open_webui/config.py:2337
TOOLS_FUNCTION_CALLING_PROMPT_TEMPLATE = os.getenv('TOOLS_FUNCTION_CALLING_PROMPT_TEMPLATE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ed8dbe716eea6263 Environment-variable access.
repo/backend/open_webui/config.py:2379
ENABLE_API_KEYS = os.getenv('ENABLE_API_KEYS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5874f17025cf2f0f Environment-variable access.
repo/backend/open_webui/config.py:2382
    os.getenv(
        'ENABLE_API_KEYS_ENDPOINT_RESTRICTIONS',
        os.getenv('ENABLE_API_KEY_ENDPOINT_RESTRICTIONS', 'False'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f62bfb1ab2c35c88 Environment-variable access.
repo/backend/open_webui/config.py:2384
        os.getenv('ENABLE_API_KEY_ENDPOINT_RESTRICTIONS', 'False'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bcae51355e8fd6c Environment-variable access.
repo/backend/open_webui/config.py:2389
API_KEYS_ALLOWED_ENDPOINTS = os.getenv('API_KEYS_ALLOWED_ENDPOINTS', os.getenv('API_KEY_ALLOWED_ENDPOINTS', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64725585cd327f58 Environment-variable access.
repo/backend/open_webui/config.py:2391
JWT_EXPIRES_IN = os.getenv('JWT_EXPIRES_IN', '4w')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f5d65ecc1a3e3c54 Environment-variable access.
repo/backend/open_webui/config.py:2403
ENABLE_OAUTH_SIGNUP = os.getenv('ENABLE_OAUTH_SIGNUP', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae38910cbd8776ec Environment-variable access.
repo/backend/open_webui/config.py:2405
OAUTH_AUTO_REDIRECT = os.getenv('OAUTH_AUTO_REDIRECT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4f4471f5cc9543ec Environment-variable access.
repo/backend/open_webui/config.py:2407
OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE = os.getenv('OAUTH_REFRESH_TOKEN_INCLUDE_SCOPE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f65ba994a5c3941c Environment-variable access.
repo/backend/open_webui/config.py:2410
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = os.getenv('OAUTH_MERGE_ACCOUNTS_BY_EMAIL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42cebe404adf3539 Environment-variable access.
repo/backend/open_webui/config.py:2414
GOOGLE_CLIENT_ID = os.getenv('GOOGLE_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d225f55be59b401 Environment-variable access.
repo/backend/open_webui/config.py:2416
GOOGLE_CLIENT_SECRET = os.getenv('GOOGLE_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #298c869c4684db27 Environment-variable access.
repo/backend/open_webui/config.py:2419
GOOGLE_OAUTH_SCOPE = os.getenv('GOOGLE_OAUTH_SCOPE', 'openid email profile')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21f3f9eb2cf58ec6 Environment-variable access.
repo/backend/open_webui/config.py:2421
GOOGLE_REDIRECT_URI = os.getenv('GOOGLE_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #921d9d89199cef14 Environment-variable access.
repo/backend/open_webui/config.py:2424
_google_oauth_authorize_params = os.getenv('GOOGLE_OAUTH_AUTHORIZE_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f34a70f1bce96d5f Environment-variable access.
repo/backend/open_webui/config.py:2435
MICROSOFT_CLIENT_ID = os.getenv('MICROSOFT_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3f3165724889af63 Environment-variable access.
repo/backend/open_webui/config.py:2437
MICROSOFT_CLIENT_SECRET = os.getenv('MICROSOFT_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a935165442ccd5e6 Environment-variable access.
repo/backend/open_webui/config.py:2439
MICROSOFT_CLIENT_TENANT_ID = os.getenv('MICROSOFT_CLIENT_TENANT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6175305ea8ee52fc Environment-variable access.
repo/backend/open_webui/config.py:2441
MICROSOFT_CLIENT_LOGIN_BASE_URL = os.getenv('MICROSOFT_CLIENT_LOGIN_BASE_URL', 'https://login.microsoftonline.com')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #01480203158bdbb1 Environment-variable access.
repo/backend/open_webui/config.py:2443
MICROSOFT_CLIENT_PICTURE_URL = os.getenv(
    'MICROSOFT_CLIENT_PICTURE_URL',
    'https://graph.microsoft.com/v1.0/me/photo/$value',
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #038a0d21527e6e9a Environment-variable access.
repo/backend/open_webui/config.py:2449
MICROSOFT_OAUTH_SCOPE = os.getenv('MICROSOFT_OAUTH_SCOPE', 'openid email profile')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bba2cf030d6c5e5 Environment-variable access.
repo/backend/open_webui/config.py:2451
MICROSOFT_REDIRECT_URI = os.getenv('MICROSOFT_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #95446fbe6e23376e Environment-variable access.
repo/backend/open_webui/config.py:2453
GITHUB_CLIENT_ID = os.getenv('GITHUB_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #32074a13dd477d37 Environment-variable access.
repo/backend/open_webui/config.py:2455
GITHUB_CLIENT_SECRET = os.getenv('GITHUB_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3e7de1973f0b63f4 Environment-variable access.
repo/backend/open_webui/config.py:2457
GITHUB_CLIENT_SCOPE = os.getenv('GITHUB_CLIENT_SCOPE', 'user:email')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fabe975a7905a145 Environment-variable access.
repo/backend/open_webui/config.py:2459
GITHUB_CLIENT_REDIRECT_URI = os.getenv('GITHUB_CLIENT_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #78655a7c9ac36805 Environment-variable access.
repo/backend/open_webui/config.py:2461
OAUTH_CLIENT_ID = os.getenv('OAUTH_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5f5e848f22ab3b0d Environment-variable access.
repo/backend/open_webui/config.py:2463
OAUTH_CLIENT_SECRET = os.getenv('OAUTH_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b16ea5bfd123728 Environment-variable access.
repo/backend/open_webui/config.py:2465
OPENID_PROVIDER_URL = os.getenv('OPENID_PROVIDER_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfc72862199dc7c0 Environment-variable access.
repo/backend/open_webui/config.py:2467
OPENID_END_SESSION_ENDPOINT = os.getenv('OPENID_END_SESSION_ENDPOINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5972d32c06d8e7cc Environment-variable access.
repo/backend/open_webui/config.py:2469
OPENID_REDIRECT_URI = os.getenv('OPENID_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #60af1389626a41d9 Environment-variable access.
repo/backend/open_webui/config.py:2471
OAUTH_SCOPES = os.getenv('OAUTH_SCOPES', 'openid email profile')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #359f11b227027cef Environment-variable access.
repo/backend/open_webui/config.py:2473
OAUTH_TIMEOUT = os.getenv('OAUTH_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0a97df6dfc58303a Environment-variable access.
repo/backend/open_webui/config.py:2475
OAUTH_TOKEN_ENDPOINT_AUTH_METHOD = os.getenv('OAUTH_TOKEN_ENDPOINT_AUTH_METHOD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bdc09c989b46a32 Environment-variable access.
repo/backend/open_webui/config.py:2477
OAUTH_CODE_CHALLENGE_METHOD = os.getenv('OAUTH_CODE_CHALLENGE_METHOD', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2620fb2533531210 Environment-variable access.
repo/backend/open_webui/config.py:2479
OAUTH_PROVIDER_NAME = os.getenv('OAUTH_PROVIDER_NAME', 'SSO')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e3362928f8ee407 Environment-variable access.
repo/backend/open_webui/config.py:2481
OAUTH_SUB_CLAIM = os.getenv('OAUTH_SUB_CLAIM', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #003bdaa70c327cf3 Environment-variable access.
repo/backend/open_webui/config.py:2483
OAUTH_USERNAME_CLAIM = os.getenv('OAUTH_USERNAME_CLAIM', 'name')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6962594f91518fe9 Environment-variable access.
repo/backend/open_webui/config.py:2486
OAUTH_PICTURE_CLAIM = os.getenv('OAUTH_PICTURE_CLAIM', 'picture')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb6c0eabfecba775 Environment-variable access.
repo/backend/open_webui/config.py:2488
OAUTH_EMAIL_CLAIM = os.getenv('OAUTH_EMAIL_CLAIM', 'email')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b105ff50bdeba88f Environment-variable access.
repo/backend/open_webui/config.py:2490
OAUTH_GROUPS_CLAIM = os.getenv('OAUTH_GROUPS_CLAIM', os.getenv('OAUTH_GROUP_CLAIM', 'groups'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4587bd99dbb47ca5 Environment-variable access.
repo/backend/open_webui/config.py:2492
FEISHU_CLIENT_ID = os.getenv('FEISHU_CLIENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f40025ea3c275fda Environment-variable access.
repo/backend/open_webui/config.py:2494
FEISHU_CLIENT_SECRET = os.getenv('FEISHU_CLIENT_SECRET', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73499f30aef79b44 Environment-variable access.
repo/backend/open_webui/config.py:2496
FEISHU_OAUTH_SCOPE = os.getenv('FEISHU_OAUTH_SCOPE', 'contact:user.base:readonly')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #29f9ac47002a6ca6 Environment-variable access.
repo/backend/open_webui/config.py:2498
FEISHU_REDIRECT_URI = os.getenv('FEISHU_REDIRECT_URI', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73806f25e8ae9103 Environment-variable access.
repo/backend/open_webui/config.py:2500
ENABLE_OAUTH_ROLE_MANAGEMENT = os.getenv('ENABLE_OAUTH_ROLE_MANAGEMENT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3c0b2531c9d9f5ea Environment-variable access.
repo/backend/open_webui/config.py:2502
ENABLE_OAUTH_GROUP_MANAGEMENT = os.getenv('ENABLE_OAUTH_GROUP_MANAGEMENT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3714275d36eb49c0 Environment-variable access.
repo/backend/open_webui/config.py:2504
ENABLE_OAUTH_GROUP_CREATION = os.getenv('ENABLE_OAUTH_GROUP_CREATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cacf9a2430bdb7a9 Environment-variable access.
repo/backend/open_webui/config.py:2507
oauth_group_default_share = os.getenv('OAUTH_GROUP_DEFAULT_SHARE', 'true').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8618768333eafc18 Environment-variable access.
repo/backend/open_webui/config.py:2511
OAUTH_BLOCKED_GROUPS = os.getenv('OAUTH_BLOCKED_GROUPS', '[]')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #53f48def46d42265 Environment-variable access.
repo/backend/open_webui/config.py:2513
OAUTH_GROUPS_SEPARATOR = os.getenv('OAUTH_GROUPS_SEPARATOR', ';')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c289ff29d10f1ea7 Environment-variable access.
repo/backend/open_webui/config.py:2515
OAUTH_ROLES_CLAIM = os.getenv('OAUTH_ROLES_CLAIM', 'roles')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9e6eae4d70672d7e Environment-variable access.
repo/backend/open_webui/config.py:2517
OAUTH_ROLES_SEPARATOR = os.getenv('OAUTH_ROLES_SEPARATOR', ',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #131dd4d9ed47b6e8 Environment-variable access.
repo/backend/open_webui/config.py:2521
    for role in os.getenv('OAUTH_ALLOWED_ROLES', f'user{OAUTH_ROLES_SEPARATOR}admin').split(OAUTH_ROLES_SEPARATOR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5bcc798d11438907 Environment-variable access.
repo/backend/open_webui/config.py:2526
    role.strip() for role in os.getenv('OAUTH_ADMIN_ROLES', 'admin').split(OAUTH_ROLES_SEPARATOR) if role

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ca8c27c523c3114c Environment-variable access.
repo/backend/open_webui/config.py:2529
OAUTH_ALLOWED_DOMAINS = [domain.strip() for domain in os.getenv('OAUTH_ALLOWED_DOMAINS', '*').split(',')]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #26bb2d8eb0344fda Environment-variable access.
repo/backend/open_webui/config.py:2531
OAUTH_UPDATE_PICTURE_ON_LOGIN = os.getenv('OAUTH_UPDATE_PICTURE_ON_LOGIN', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d98a2960c2e70886 Environment-variable access.
repo/backend/open_webui/config.py:2533
OAUTH_UPDATE_NAME_ON_LOGIN = os.getenv('OAUTH_UPDATE_NAME_ON_LOGIN', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #86b05b596d2f2a0f Environment-variable access.
repo/backend/open_webui/config.py:2535
OAUTH_UPDATE_EMAIL_ON_LOGIN = os.getenv('OAUTH_UPDATE_EMAIL_ON_LOGIN', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f690c3671fe94e7 Environment-variable access.
repo/backend/open_webui/config.py:2538
    os.getenv('OAUTH_ACCESS_TOKEN_REQUEST_INCLUDE_CLIENT_ID', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #92f65d7714a4bdd8 Environment-variable access.
repo/backend/open_webui/config.py:2541
OAUTH_AUDIENCE = os.getenv('OAUTH_AUDIENCE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6c2199e7cd825cca Environment-variable access.
repo/backend/open_webui/config.py:2544
_oauth_authorize_params = os.getenv('OAUTH_AUTHORIZE_PARAMS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #491e1dee517e481a Environment-variable access.
repo/backend/open_webui/config.py:2711
ENABLE_LDAP = os.getenv('ENABLE_LDAP', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eb77e6c9c964be1b Environment-variable access.
repo/backend/open_webui/config.py:2713
LDAP_SERVER_LABEL = os.getenv('LDAP_SERVER_LABEL', 'LDAP Server')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9abec0f91317f406 Environment-variable access.
repo/backend/open_webui/config.py:2715
LDAP_SERVER_HOST = os.getenv('LDAP_SERVER_HOST', 'localhost')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ec55d072ec49659 Environment-variable access.
repo/backend/open_webui/config.py:2717
LDAP_SERVER_PORT = int(os.getenv('LDAP_SERVER_PORT', '389'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5d43aa7eb68ad869 Environment-variable access.
repo/backend/open_webui/config.py:2719
LDAP_ATTRIBUTE_FOR_MAIL = os.getenv('LDAP_ATTRIBUTE_FOR_MAIL', 'mail')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aea6e798e74cae54 Environment-variable access.
repo/backend/open_webui/config.py:2721
LDAP_ATTRIBUTE_FOR_USERNAME = os.getenv('LDAP_ATTRIBUTE_FOR_USERNAME', 'uid')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d1d5a757ff91ba94 Environment-variable access.
repo/backend/open_webui/config.py:2723
LDAP_APP_DN = os.getenv('LDAP_APP_DN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0cc099b54c7ee0e8 Environment-variable access.
repo/backend/open_webui/config.py:2725
LDAP_APP_PASSWORD = os.getenv('LDAP_APP_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b880771a18f116b4 Environment-variable access.
repo/backend/open_webui/config.py:2727
LDAP_SEARCH_BASE = os.getenv('LDAP_SEARCH_BASE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d94b068c14c0c18 Environment-variable access.
repo/backend/open_webui/config.py:2729
LDAP_SEARCH_FILTERS = os.getenv('LDAP_SEARCH_FILTER', os.getenv('LDAP_SEARCH_FILTERS', ''))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e25430b7dadf7d4d Environment-variable access.
repo/backend/open_webui/config.py:2731
LDAP_USE_TLS = os.getenv('LDAP_USE_TLS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aba158000f2a6f56 Environment-variable access.
repo/backend/open_webui/config.py:2733
LDAP_CA_CERT_FILE = os.getenv('LDAP_CA_CERT_FILE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16c09dfd0bdd5366 Environment-variable access.
repo/backend/open_webui/config.py:2735
LDAP_VALIDATE_CERT = os.getenv('LDAP_VALIDATE_CERT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6302587198b7f622 Environment-variable access.
repo/backend/open_webui/config.py:2737
LDAP_CIPHERS = os.getenv('LDAP_CIPHERS', 'ALL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5efedb5f2bc459aa Environment-variable access.
repo/backend/open_webui/config.py:2739
ENABLE_LDAP_GROUP_MANAGEMENT = os.getenv('ENABLE_LDAP_GROUP_MANAGEMENT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bb495972fc090e8 Environment-variable access.
repo/backend/open_webui/config.py:2741
ENABLE_LDAP_GROUP_CREATION = os.getenv('ENABLE_LDAP_GROUP_CREATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f3eb46fed32dc68a Environment-variable access.
repo/backend/open_webui/config.py:2743
LDAP_ATTRIBUTE_FOR_GROUPS = os.getenv('LDAP_ATTRIBUTE_FOR_GROUPS', 'memberOf')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #75c34922c81eb8a3 Environment-variable access.
repo/backend/open_webui/config.py:3129
ENABLE_PERSISTENT_CONFIG = os.getenv('ENABLE_PERSISTENT_CONFIG', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #581871f96d99fe12 Environment-variable access.
repo/backend/open_webui/config.py:3130
ENABLE_OAUTH_PERSISTENT_CONFIG = os.getenv('ENABLE_OAUTH_PERSISTENT_CONFIG', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ef637b9fafc497e6 Environment-variable access.
repo/backend/open_webui/env.py:42
DOCKER = os.getenv('DOCKER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #40698055b8ba314d Environment-variable access.
repo/backend/open_webui/env.py:44
USE_CUDA = os.getenv('USE_CUDA_DOCKER', 'false')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #59b48718ee23dfc9 Environment-variable access.
repo/backend/open_webui/env.py:57
        os.environ['USE_CUDA_DOCKER'] = 'false'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9a619280d09a0398 Environment-variable access.
repo/backend/open_webui/env.py:104
LOG_FORMAT = os.getenv('LOG_FORMAT', '').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e5d4ef7f5245d25 Environment-variable access.
repo/backend/open_webui/env.py:106
GLOBAL_LOG_LEVEL = os.getenv('GLOBAL_LOG_LEVEL', '').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b90df6067dbdfa44 Environment-variable access.
repo/backend/open_webui/env.py:132
ENV = os.getenv('ENV', 'dev')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1706433de766660d Environment-variable access.
repo/backend/open_webui/env.py:134
FROM_INIT_PY = os.getenv('FROM_INIT_PY', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46d915d71469ad95 Filesystem access.
repo/backend/open_webui/env.py:140
        PACKAGE_DATA = json.loads((BASE_DIR / 'package.json').read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #332736751ff247c2 Environment-variable access.
repo/backend/open_webui/env.py:147
DEPLOYMENT_ID = os.getenv('DEPLOYMENT_ID', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d0ab0fb682797f9 Environment-variable access.
repo/backend/open_webui/env.py:148
INSTANCE_ID = os.getenv('INSTANCE_ID', str(uuid4()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79dff99b47e6c299 Environment-variable access.
repo/backend/open_webui/env.py:150
ENABLE_DB_MIGRATIONS = os.getenv('ENABLE_DB_MIGRATIONS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #884aa204d4a79bf7 Filesystem access.
repo/backend/open_webui/env.py:174
    with open(str(changelog_path.absolute()), encoding='utf8') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #763c1e1b4b16555b Environment-variable access.
repo/backend/open_webui/env.py:216
DATA_DIR = Path(os.getenv('DATA_DIR', BACKEND_DIR / 'data')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fcbc8660f7ce101e Environment-variable access.
repo/backend/open_webui/env.py:219
    NEW_DATA_DIR = Path(os.getenv('DATA_DIR', OPEN_WEBUI_DIR / 'data')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #651aadd319171814 Environment-variable access.
repo/backend/open_webui/env.py:238
    DATA_DIR = Path(os.getenv('DATA_DIR', OPEN_WEBUI_DIR / 'data'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #08231be3bc936f11 Environment-variable access.
repo/backend/open_webui/env.py:240
STATIC_DIR = Path(os.getenv('STATIC_DIR', OPEN_WEBUI_DIR / 'static'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #900768440a01c5a0 Environment-variable access.
repo/backend/open_webui/env.py:242
FONTS_DIR = Path(os.getenv('FONTS_DIR', OPEN_WEBUI_DIR / 'static' / 'fonts'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a50d6bfdf079684 Environment-variable access.
repo/backend/open_webui/env.py:244
FRONTEND_BUILD_DIR = Path(os.getenv('FRONTEND_BUILD_DIR', BASE_DIR / 'build')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7874d8cbae401476 Environment-variable access.
repo/backend/open_webui/env.py:247
    FRONTEND_BUILD_DIR = Path(os.getenv('FRONTEND_BUILD_DIR', OPEN_WEBUI_DIR / 'frontend')).resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #03886a22a7a13d9a Environment-variable access.
repo/backend/open_webui/env.py:261
DATABASE_URL = os.getenv('DATABASE_URL', f'sqlite:///{DATA_DIR}/webui.db')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b64420fdbbd0e38 Environment-variable access.
repo/backend/open_webui/env.py:263
DATABASE_TYPE = os.getenv('DATABASE_TYPE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #96f59cbedecae8be Environment-variable access.
repo/backend/open_webui/env.py:264
DATABASE_USER = os.getenv('DATABASE_USER')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #84045cf015ff0f20 Environment-variable access.
repo/backend/open_webui/env.py:265
DATABASE_PASSWORD = os.getenv('DATABASE_PASSWORD')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #00d3e35388b628cc Environment-variable access.
repo/backend/open_webui/env.py:276
    'db_host': os.getenv('DATABASE_HOST'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9856a464121f9c8f Environment-variable access.
repo/backend/open_webui/env.py:277
    'db_port': os.getenv('DATABASE_PORT'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #596bd0351c189b9a Environment-variable access.
repo/backend/open_webui/env.py:278
    'db_name': os.getenv('DATABASE_NAME'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7e9601d261f77b1f Environment-variable access.
repo/backend/open_webui/env.py:285
elif DATABASE_TYPE == 'sqlite+sqlcipher' and not os.getenv('DATABASE_URL'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e8fc978e34a9a577 Environment-variable access.
repo/backend/open_webui/env.py:293
DATABASE_SCHEMA = os.getenv('DATABASE_SCHEMA', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d38e2a925fe9592 Environment-variable access.
repo/backend/open_webui/env.py:294
DATABASE_ENABLE_IAM_TOKEN_AUTH = os.getenv('DATABASE_ENABLE_IAM_TOKEN_AUTH', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b06c6a4b52d6c3b6 Environment-variable access.
repo/backend/open_webui/env.py:296
_pool_size_raw = os.getenv('DATABASE_POOL_SIZE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c44c1a084f8b0d4a Environment-variable access.
repo/backend/open_webui/env.py:302
_pool_overflow_raw = os.getenv('DATABASE_POOL_MAX_OVERFLOW', '0')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4cd2bebeba729970 Environment-variable access.
repo/backend/open_webui/env.py:308
_pool_timeout_raw = os.getenv('DATABASE_POOL_TIMEOUT', '30')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e6092d6b72405e5 Environment-variable access.
repo/backend/open_webui/env.py:314
_pool_recycle_raw = os.getenv('DATABASE_POOL_RECYCLE', '3600')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f936c4bc4cfa48f Environment-variable access.
repo/backend/open_webui/env.py:320
DATABASE_ENABLE_SQLITE_WAL = os.getenv('DATABASE_ENABLE_SQLITE_WAL', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #640a79e45ab1de7f Environment-variable access.
repo/backend/open_webui/env.py:328
DATABASE_SQLITE_PRAGMA_SYNCHRONOUS = os.getenv('DATABASE_SQLITE_PRAGMA_SYNCHRONOUS', 'NORMAL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2bb6634009fa9363 Environment-variable access.
repo/backend/open_webui/env.py:332
DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT = os.getenv('DATABASE_SQLITE_PRAGMA_BUSY_TIMEOUT', '5000')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0f7a1f9dafc3aeea Environment-variable access.
repo/backend/open_webui/env.py:335
DATABASE_SQLITE_PRAGMA_CACHE_SIZE = os.getenv('DATABASE_SQLITE_PRAGMA_CACHE_SIZE', '-65536')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #06d9da9b593d5787 Environment-variable access.
repo/backend/open_webui/env.py:339
DATABASE_SQLITE_PRAGMA_TEMP_STORE = os.getenv('DATABASE_SQLITE_PRAGMA_TEMP_STORE', 'MEMORY')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46ce4a67e1ae1e8d Environment-variable access.
repo/backend/open_webui/env.py:343
DATABASE_SQLITE_PRAGMA_MMAP_SIZE = os.getenv('DATABASE_SQLITE_PRAGMA_MMAP_SIZE', '268435456')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b955db639ec26a7e Environment-variable access.
repo/backend/open_webui/env.py:348
DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT = os.getenv('DATABASE_SQLITE_PRAGMA_JOURNAL_SIZE_LIMIT', '67108864')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cac4f51cc3bb5df0 Environment-variable access.
repo/backend/open_webui/env.py:350
DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL = os.getenv('DATABASE_USER_ACTIVE_STATUS_UPDATE_INTERVAL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5eb0eb8b10cbc6d1 Environment-variable access.
repo/backend/open_webui/env.py:357
DATABASE_ENABLE_SESSION_SHARING = os.getenv('DATABASE_ENABLE_SESSION_SHARING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #31dfe4d1fab6c20f Environment-variable access.
repo/backend/open_webui/env.py:358
ENABLE_PUBLIC_ACTIVE_USERS_COUNT = os.getenv('ENABLE_PUBLIC_ACTIVE_USERS_COUNT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b73f88b401ae097 Environment-variable access.
repo/backend/open_webui/env.py:359
RESET_CONFIG_ON_START = os.getenv('RESET_CONFIG_ON_START', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bf8391f1f4f124d Environment-variable access.
repo/backend/open_webui/env.py:360
ENABLE_REALTIME_CHAT_SAVE = os.getenv('ENABLE_REALTIME_CHAT_SAVE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #43bc0b5ebd5e8259 Environment-variable access.
repo/backend/open_webui/env.py:361
ENABLE_QUERIES_CACHE = os.getenv('ENABLE_QUERIES_CACHE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cf9de17ebd673b81 Environment-variable access.
repo/backend/open_webui/env.py:362
RAG_SYSTEM_CONTEXT = os.getenv('RAG_SYSTEM_CONTEXT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c832a16c96832349 Environment-variable access.
repo/backend/open_webui/env.py:368
REDIS_URL = os.getenv('REDIS_URL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #49a58d131f22b5e9 Environment-variable access.
repo/backend/open_webui/env.py:369
REDIS_CLUSTER = os.getenv('REDIS_CLUSTER', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #46abd33d373db05b Environment-variable access.
repo/backend/open_webui/env.py:371
REDIS_KEY_PREFIX = os.getenv('REDIS_KEY_PREFIX', 'open-webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #845e274895309144 Environment-variable access.
repo/backend/open_webui/env.py:373
REDIS_SENTINEL_HOSTS = os.getenv('REDIS_SENTINEL_HOSTS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4c012593857db572 Environment-variable access.
repo/backend/open_webui/env.py:374
REDIS_SENTINEL_PORT = os.getenv('REDIS_SENTINEL_PORT', '26379')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cd42d2832ca535d7 Environment-variable access.
repo/backend/open_webui/env.py:377
REDIS_SENTINEL_MAX_RETRY_COUNT = os.getenv('REDIS_SENTINEL_MAX_RETRY_COUNT', '2')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4aa3dd2aec8249fe Environment-variable access.
repo/backend/open_webui/env.py:386
REDIS_SOCKET_CONNECT_TIMEOUT = os.getenv('REDIS_SOCKET_CONNECT_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cdce874add6e7b3f Environment-variable access.
repo/backend/open_webui/env.py:397
REDIS_SOCKET_KEEPALIVE = os.getenv('REDIS_SOCKET_KEEPALIVE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d2395b073f1f79cb Environment-variable access.
repo/backend/open_webui/env.py:405
REDIS_HEALTH_CHECK_INTERVAL = os.getenv('REDIS_HEALTH_CHECK_INTERVAL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #377d892013888eb0 Environment-variable access.
repo/backend/open_webui/env.py:413
REDIS_RECONNECT_DELAY = os.getenv('REDIS_RECONNECT_DELAY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #71b2798e5cb8c82b Environment-variable access.
repo/backend/open_webui/env.py:430
    UVICORN_WORKERS = max(int(os.getenv('UVICORN_WORKERS', '1')), 1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ea8aefcbacc59bf Environment-variable access.
repo/backend/open_webui/env.py:438
ENABLE_WEBSOCKET_SUPPORT = os.getenv('ENABLE_WEBSOCKET_SUPPORT', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9162dcdb510d956a Environment-variable access.
repo/backend/open_webui/env.py:441
WEBSOCKET_MANAGER = os.getenv('WEBSOCKET_MANAGER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ba6e27326d38d169 Environment-variable access.
repo/backend/open_webui/env.py:443
WEBSOCKET_REDIS_OPTIONS = os.getenv('WEBSOCKET_REDIS_OPTIONS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9510754566e4e45 Environment-variable access.
repo/backend/open_webui/env.py:458
WEBSOCKET_REDIS_URL = os.getenv('WEBSOCKET_REDIS_URL', REDIS_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b5a4a7fb746cdc6 Environment-variable access.
repo/backend/open_webui/env.py:459
WEBSOCKET_REDIS_CLUSTER = os.getenv('WEBSOCKET_REDIS_CLUSTER', str(REDIS_CLUSTER)).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #57b9802a55dc54be Environment-variable access.
repo/backend/open_webui/env.py:461
websocket_redis_lock_timeout = os.getenv('WEBSOCKET_REDIS_LOCK_TIMEOUT', '60')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2018d32a67ad06c0 Environment-variable access.
repo/backend/open_webui/env.py:468
WEBSOCKET_SENTINEL_HOSTS = os.getenv('WEBSOCKET_SENTINEL_HOSTS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1356a1efc761b6a8 Environment-variable access.
repo/backend/open_webui/env.py:469
WEBSOCKET_SENTINEL_PORT = os.getenv('WEBSOCKET_SENTINEL_PORT', '26379')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #af7ab27543249f9f Environment-variable access.
repo/backend/open_webui/env.py:470
WEBSOCKET_SERVER_LOGGING = os.getenv('WEBSOCKET_SERVER_LOGGING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de0dd9741d11fd38 Environment-variable access.
repo/backend/open_webui/env.py:472
    os.getenv(
        'WEBSOCKET_SERVER_ENGINEIO_LOGGING',
        os.getenv('WEBSOCKET_SERVER_LOGGING', 'False'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c1d0ccab4655e87f Environment-variable access.
repo/backend/open_webui/env.py:474
        os.getenv('WEBSOCKET_SERVER_LOGGING', 'False'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7974611a6a783a72 Environment-variable access.
repo/backend/open_webui/env.py:478
WEBSOCKET_SERVER_PING_TIMEOUT = os.getenv('WEBSOCKET_SERVER_PING_TIMEOUT', '20')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0b467a215f1b50aa Environment-variable access.
repo/backend/open_webui/env.py:484
WEBSOCKET_SERVER_PING_INTERVAL = os.getenv('WEBSOCKET_SERVER_PING_INTERVAL', '25')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #404222d45eeab4b5 Environment-variable access.
repo/backend/open_webui/env.py:490
WEBSOCKET_EVENT_CALLER_TIMEOUT = os.getenv('WEBSOCKET_EVENT_CALLER_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a5d9cdeb4d0e939 Environment-variable access.
repo/backend/open_webui/env.py:512
AIOHTTP_CLIENT_SSL_CERT_FILE = os.getenv('AIOHTTP_CLIENT_SSL_CERT_FILE', '').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8810eb040c4435db Environment-variable access.
repo/backend/open_webui/env.py:560
REQUESTS_VERIFY = os.getenv('REQUESTS_VERIFY', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #358a0ca787da3866 Environment-variable access.
repo/backend/open_webui/env.py:562
_aiohttp_timeout_raw = os.getenv('AIOHTTP_CLIENT_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c5e2f69faef14458 Environment-variable access.
repo/backend/open_webui/env.py:572
AIOHTTP_CLIENT_SESSION_SSL = _parse_ssl_env(os.getenv('AIOHTTP_CLIENT_SESSION_SSL', 'True'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #058f853604c13613 Environment-variable access.
repo/backend/open_webui/env.py:575
AIOHTTP_CLIENT_ALLOW_REDIRECTS = os.getenv('AIOHTTP_CLIENT_ALLOW_REDIRECTS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3b56540a9fe960ec Environment-variable access.
repo/backend/open_webui/env.py:580
USER_AGENT = os.getenv('USER_AGENT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6dd2050c6cd3888f Environment-variable access.
repo/backend/open_webui/env.py:582
_model_list_timeout_raw = os.getenv(
    'AIOHTTP_CLIENT_TIMEOUT_MODEL_LIST',
    os.getenv('AIOHTTP_CLIENT_TIMEOUT_OPENAI_MODEL_LIST', '10'),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a923f0563ff65c29 Environment-variable access.
repo/backend/open_webui/env.py:584
    os.getenv('AIOHTTP_CLIENT_TIMEOUT_OPENAI_MODEL_LIST', '10'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #438176c29035beb3 Environment-variable access.
repo/backend/open_webui/env.py:591
_tool_data_timeout_raw = os.getenv('AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER_DATA', '10')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2845fc24b913fb54 Environment-variable access.
repo/backend/open_webui/env.py:601
AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL = _parse_ssl_env(os.getenv('AIOHTTP_CLIENT_SESSION_TOOL_SERVER_SSL', 'True'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #61d41b43898a2f06 Environment-variable access.
repo/backend/open_webui/env.py:603
AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER = os.getenv('AIOHTTP_CLIENT_TIMEOUT_TOOL_SERVER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #73bf6e4698c49690 Environment-variable access.
repo/backend/open_webui/env.py:616
MCP_INITIALIZE_TIMEOUT = os.getenv('MCP_INITIALIZE_TIMEOUT', '10')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #09c4d40618e251f2 Environment-variable access.
repo/backend/open_webui/env.py:627
AIOHTTP_POOL_CONNECTIONS = os.getenv('AIOHTTP_POOL_CONNECTIONS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dfe3bb9867fb3520 Environment-variable access.
repo/backend/open_webui/env.py:636
AIOHTTP_POOL_CONNECTIONS_PER_HOST = os.getenv('AIOHTTP_POOL_CONNECTIONS_PER_HOST', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8e779cf06613c142 Environment-variable access.
repo/backend/open_webui/env.py:645
AIOHTTP_POOL_DNS_TTL = os.getenv('AIOHTTP_POOL_DNS_TTL', '300')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9bffa69c0fdb803e Environment-variable access.
repo/backend/open_webui/env.py:653
RAG_EMBEDDING_TIMEOUT = os.getenv('RAG_EMBEDDING_TIMEOUT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d9dcdc2abe857b68 Environment-variable access.
repo/backend/open_webui/env.py:668
WEBUI_AUTH = os.getenv('WEBUI_AUTH', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #42edbcd93b7d2925 Environment-variable access.
repo/backend/open_webui/env.py:670
ENABLE_INITIAL_ADMIN_SIGNUP = os.getenv('ENABLE_INITIAL_ADMIN_SIGNUP', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cc4cc9f9a426591d Environment-variable access.
repo/backend/open_webui/env.py:671
ENABLE_SIGNUP_PASSWORD_CONFIRMATION = os.getenv('ENABLE_SIGNUP_PASSWORD_CONFIRMATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #855401f73242cd81 Environment-variable access.
repo/backend/open_webui/env.py:679
WEBUI_SECRET_KEY = os.getenv(
    'WEBUI_SECRET_KEY',
    os.getenv('WEBUI_JWT_SECRET_KEY', ''),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0c42f448e9e1fa08 Environment-variable access.
repo/backend/open_webui/env.py:681
    os.getenv('WEBUI_JWT_SECRET_KEY', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a3f738e6504a0275 Environment-variable access.
repo/backend/open_webui/env.py:684
ENABLE_VALVE_ENCRYPTION = os.getenv('ENABLE_VALVE_ENCRYPTION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #90a73fb8dae75b2a Environment-variable access.
repo/backend/open_webui/env.py:686
WEBUI_SESSION_COOKIE_SAME_SITE = os.getenv('WEBUI_SESSION_COOKIE_SAME_SITE', 'lax')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #27b28833bbf845c9 Environment-variable access.
repo/backend/open_webui/env.py:687
WEBUI_SESSION_COOKIE_SECURE = os.getenv('WEBUI_SESSION_COOKIE_SECURE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8d33bdcdc2f149bc Environment-variable access.
repo/backend/open_webui/env.py:688
WEBUI_AUTH_COOKIE_SAME_SITE = os.getenv('WEBUI_AUTH_COOKIE_SAME_SITE', WEBUI_SESSION_COOKIE_SAME_SITE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b90dcc7c724c3bba Environment-variable access.
repo/backend/open_webui/env.py:690
    os.getenv(
        'WEBUI_AUTH_COOKIE_SECURE',
        os.getenv('WEBUI_SESSION_COOKIE_SECURE', 'false'),
    ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a96546cc9dd6347a Environment-variable access.
repo/backend/open_webui/env.py:692
        os.getenv('WEBUI_SESSION_COOKIE_SECURE', 'false'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #07d5d4d6157453c5 Environment-variable access.
repo/backend/open_webui/env.py:707
ENABLE_COMPRESSION_MIDDLEWARE = os.getenv('ENABLE_COMPRESSION_MIDDLEWARE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7ef81072a4474cac Environment-variable access.
repo/backend/open_webui/env.py:715
WEBUI_ADMIN_EMAIL = os.getenv('WEBUI_ADMIN_EMAIL', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b9da6d6b152322f Environment-variable access.
repo/backend/open_webui/env.py:716
WEBUI_ADMIN_PASSWORD = os.getenv('WEBUI_ADMIN_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aeaa5a0e2210660e Environment-variable access.
repo/backend/open_webui/env.py:717
WEBUI_ADMIN_NAME = os.getenv('WEBUI_ADMIN_NAME', 'Admin')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b72923fc12b8fce1 Environment-variable access.
repo/backend/open_webui/env.py:719
WEBUI_AUTH_TRUSTED_EMAIL_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_EMAIL_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c319396baddaa025 Environment-variable access.
repo/backend/open_webui/env.py:720
WEBUI_AUTH_TRUSTED_NAME_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_NAME_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #305f9aa4922074f9 Environment-variable access.
repo/backend/open_webui/env.py:721
WEBUI_AUTH_TRUSTED_GROUPS_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_GROUPS_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b62acdbeb95ac27e Environment-variable access.
repo/backend/open_webui/env.py:722
WEBUI_AUTH_TRUSTED_ROLE_HEADER = os.getenv('WEBUI_AUTH_TRUSTED_ROLE_HEADER', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2288b78c59cc66a7 Environment-variable access.
repo/backend/open_webui/env.py:729
CUSTOM_API_KEY_HEADER = os.getenv('CUSTOM_API_KEY_HEADER', 'x-api-key')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7c64b2fb5fcde8cc Environment-variable access.
repo/backend/open_webui/env.py:731
ENABLE_PASSWORD_VALIDATION = os.getenv('ENABLE_PASSWORD_VALIDATION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #512eaf537408c762 Environment-variable access.
repo/backend/open_webui/env.py:732
PASSWORD_HASH_ALGORITHM = os.getenv('PASSWORD_HASH_ALGORITHM', 'bcrypt').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b6b25039ac64c8c8 Environment-variable access.
repo/backend/open_webui/env.py:733
PASSWORD_VALIDATION_REGEX_PATTERN = os.getenv(
    'PASSWORD_VALIDATION_REGEX_PATTERN',
    r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[^\w\s]).{8,}$',
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bf7a22d2253aef49 Environment-variable access.
repo/backend/open_webui/env.py:746
PASSWORD_VALIDATION_HINT = os.getenv('PASSWORD_VALIDATION_HINT', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ea91a0bf4596584e Environment-variable access.
repo/backend/open_webui/env.py:749
BYPASS_MODEL_ACCESS_CONTROL = os.getenv('BYPASS_MODEL_ACCESS_CONTROL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64d185ff6b1f8e7a Environment-variable access.
repo/backend/open_webui/env.py:750
BYPASS_RETRIEVAL_ACCESS_CONTROL = os.getenv('BYPASS_RETRIEVAL_ACCESS_CONTROL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fa4d93c2afdd7464 Environment-variable access.
repo/backend/open_webui/env.py:756
ENABLE_RETRIEVAL_UNSCOPED_COLLECTIONS = os.getenv('ENABLE_RETRIEVAL_UNSCOPED_COLLECTIONS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c0a93e228640a703 Environment-variable access.
repo/backend/open_webui/env.py:758
    int(os.getenv('MINERU_MAX_MARKDOWN_BYTES')) if os.getenv('MINERU_MAX_MARKDOWN_BYTES') else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #79ed89fc29a5dc14 Environment-variable access.
repo/backend/open_webui/env.py:764
BYPASS_PYDUB_PREPROCESSING = os.getenv('BYPASS_PYDUB_PREPROCESSING', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3a2c16b8e152c33b Environment-variable access.
repo/backend/open_webui/env.py:769
ENABLE_OPENAI_API_PASSTHROUGH = os.getenv('ENABLE_OPENAI_API_PASSTHROUGH', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f9ba7719968a703c Environment-variable access.
repo/backend/open_webui/env.py:771
WEBUI_AUTH_SIGNOUT_REDIRECT_URL = os.getenv('WEBUI_AUTH_SIGNOUT_REDIRECT_URL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1930b548487f2b42 Environment-variable access.
repo/backend/open_webui/env.py:776
ENABLE_OAUTH_EMAIL_FALLBACK = os.getenv('ENABLE_OAUTH_EMAIL_FALLBACK', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f85b98b79bf237e4 Environment-variable access.
repo/backend/open_webui/env.py:778
ENABLE_OAUTH_ID_TOKEN_COOKIE = os.getenv('ENABLE_OAUTH_ID_TOKEN_COOKIE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a74379d3cf21a36f Environment-variable access.
repo/backend/open_webui/env.py:780
OAUTH_CLIENT_INFO_ENCRYPTION_KEY = os.getenv('OAUTH_CLIENT_INFO_ENCRYPTION_KEY', WEBUI_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a3d54a1eb5bddfd Environment-variable access.
repo/backend/open_webui/env.py:782
OAUTH_SESSION_TOKEN_ENCRYPTION_KEY = os.getenv('OAUTH_SESSION_TOKEN_ENCRYPTION_KEY', WEBUI_SECRET_KEY)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b348623dbf3e191a Environment-variable access.
repo/backend/open_webui/env.py:786
OAUTH_MAX_SESSIONS_PER_USER = int(os.getenv('OAUTH_MAX_SESSIONS_PER_USER', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #efb8e8d5fe80a7ba Environment-variable access.
repo/backend/open_webui/env.py:790
ENABLE_OAUTH_TOKEN_EXCHANGE = os.getenv('ENABLE_OAUTH_TOKEN_EXCHANGE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1b576b0d52344606 Environment-variable access.
repo/backend/open_webui/env.py:796
ENABLE_OAUTH_BACKCHANNEL_LOGOUT = os.getenv('ENABLE_OAUTH_BACKCHANNEL_LOGOUT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0d83205988cf55ee Environment-variable access.
repo/backend/open_webui/env.py:802
ENABLE_SCIM = os.getenv('ENABLE_SCIM', os.getenv('SCIM_ENABLED', 'False')).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #108066ce4560ba46 Environment-variable access.
repo/backend/open_webui/env.py:803
SCIM_TOKEN = os.getenv('SCIM_TOKEN', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16e1da2f74ec1b7e Environment-variable access.
repo/backend/open_webui/env.py:804
SCIM_AUTH_PROVIDER = os.getenv('SCIM_AUTH_PROVIDER', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff7c9176f32a7362 Environment-variable access.
repo/backend/open_webui/env.py:817
LICENSE_KEY = os.getenv('LICENSE_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0ef8eefc9cebd226 Environment-variable access.
repo/backend/open_webui/env.py:820
LICENSE_BLOB_PATH = os.getenv('LICENSE_BLOB_PATH', DATA_DIR / 'l.data')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bbc2e125223b2f53 Filesystem access.
repo/backend/open_webui/env.py:822
    with open(LICENSE_BLOB_PATH, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b7f9ada9f53b876b Environment-variable access.
repo/backend/open_webui/env.py:825
LICENSE_PUBLIC_KEY = os.getenv('LICENSE_PUBLIC_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7d4d78b0933a54e5 Environment-variable access.
repo/backend/open_webui/env.py:842
WEBUI_NAME = os.getenv('WEBUI_NAME', 'Open WebUI')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d4cd5a5d6e6fcf78 Environment-variable access.
repo/backend/open_webui/env.py:847
WEBUI_BUILD_HASH = os.getenv('WEBUI_BUILD_HASH', 'dev-build')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c6f511e67b2365f1 Environment-variable access.
repo/backend/open_webui/env.py:848
TRUSTED_SIGNATURE_KEY = os.getenv('TRUSTED_SIGNATURE_KEY', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8f477e199630b12a Environment-variable access.
repo/backend/open_webui/env.py:854
SAFE_MODE = os.getenv('SAFE_MODE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dbc091b9f003d3ea Environment-variable access.
repo/backend/open_webui/env.py:855
ENABLE_EASTER_EGGS = os.getenv('ENABLE_EASTER_EGGS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5cae92da31858a18 Environment-variable access.
repo/backend/open_webui/env.py:856
ENABLE_STAR_SESSIONS_MIDDLEWARE = os.getenv('ENABLE_STAR_SESSIONS_MIDDLEWARE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #588ad7e684e3cd65 Environment-variable access.
repo/backend/open_webui/env.py:857
ENABLE_KB_EXEC = os.getenv('ENABLE_KB_EXEC', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #438a620e34cf1d6f Environment-variable access.
repo/backend/open_webui/env.py:859
ENABLE_PROFILE_IMAGE_URL_FORWARDING = os.getenv('ENABLE_PROFILE_IMAGE_URL_FORWARDING', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bca672ec1d57784c Environment-variable access.
repo/backend/open_webui/env.py:862
    for t in os.getenv(
        'PROFILE_IMAGE_ALLOWED_MIME_TYPES',
        'image/png,image/jpeg,image/gif,image/webp',
    ).split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8fe1b3b6c1574b3f Environment-variable access.
repo/backend/open_webui/env.py:871
_profile_image_max_data_uri_size = os.getenv('PROFILE_IMAGE_MAX_DATA_URI_SIZE', '').strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #64691c4f5635e13e Environment-variable access.
repo/backend/open_webui/env.py:878
ENABLE_FORWARD_USER_INFO_HEADERS = os.getenv('ENABLE_FORWARD_USER_INFO_HEADERS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a5194171e1b3da6a Environment-variable access.
repo/backend/open_webui/env.py:880
FORWARD_USER_INFO_HEADER_USER_NAME = os.getenv('FORWARD_USER_INFO_HEADER_USER_NAME', 'X-OpenWebUI-User-Name')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #21253d4b7d14b565 Environment-variable access.
repo/backend/open_webui/env.py:881
FORWARD_USER_INFO_HEADER_USER_ID = os.getenv('FORWARD_USER_INFO_HEADER_USER_ID', 'X-OpenWebUI-User-Id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aa8a4059d61a9cdb Environment-variable access.
repo/backend/open_webui/env.py:882
FORWARD_USER_INFO_HEADER_USER_EMAIL = os.getenv('FORWARD_USER_INFO_HEADER_USER_EMAIL', 'X-OpenWebUI-User-Email')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #18678605942e737a Environment-variable access.
repo/backend/open_webui/env.py:883
FORWARD_USER_INFO_HEADER_USER_ROLE = os.getenv('FORWARD_USER_INFO_HEADER_USER_ROLE', 'X-OpenWebUI-User-Role')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1648147426e5df13 Environment-variable access.
repo/backend/open_webui/env.py:884
FORWARD_SESSION_INFO_HEADER_MESSAGE_ID = os.getenv('FORWARD_SESSION_INFO_HEADER_MESSAGE_ID', 'X-OpenWebUI-Message-Id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0bae8a989d181645 Environment-variable access.
repo/backend/open_webui/env.py:885
FORWARD_SESSION_INFO_HEADER_CHAT_ID = os.getenv('FORWARD_SESSION_INFO_HEADER_CHAT_ID', 'X-OpenWebUI-Chat-Id')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e066959508e5c460 Environment-variable access.
repo/backend/open_webui/env.py:889
FORWARD_USER_INFO_HEADER_JWT_SECRET = (os.environ.get('FORWARD_USER_INFO_HEADER_JWT_SECRET') or '').strip() or None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d889c13406c276e1 Environment-variable access.
repo/backend/open_webui/env.py:890
FORWARD_USER_INFO_HEADER_JWT = os.environ.get('FORWARD_USER_INFO_HEADER_JWT', 'X-OpenWebUI-User-Jwt')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d64d8a8080f63aa Environment-variable access.
repo/backend/open_webui/env.py:893
        os.environ.get('FORWARD_USER_INFO_HEADER_JWT_EXPIRES_SECONDS', '300')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #19ffd0f774d9adf3 Environment-variable access.
repo/backend/open_webui/env.py:902
EXTERNAL_PWA_MANIFEST_URL = os.getenv('EXTERNAL_PWA_MANIFEST_URL', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7b057f164743c654 Environment-variable access.
repo/backend/open_webui/env.py:910
_default_group_share = os.getenv('DEFAULT_GROUP_SHARE_PERMISSION', 'members').strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #deaba3613d4fc9b1 Environment-variable access.
repo/backend/open_webui/env.py:917
ENABLE_CUSTOM_MODEL_FALLBACK = os.getenv('ENABLE_CUSTOM_MODEL_FALLBACK', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #30bef0044cbe9944 Environment-variable access.
repo/backend/open_webui/env.py:919
MODELS_CACHE_TTL = os.getenv('MODELS_CACHE_TTL', '1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #51f4d7d193c98724 Environment-variable access.
repo/backend/open_webui/env.py:934
    os.getenv('ENABLE_CHAT_RESPONSE_BASE64_IMAGE_URL_CONVERSION', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #672de0aa84d15e0d Environment-variable access.
repo/backend/open_webui/env.py:936
ENABLE_API_OUTLET_FILTERS = os.getenv('ENABLE_API_OUTLET_FILTERS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a7a39e791562d9d Environment-variable access.
repo/backend/open_webui/env.py:944
    os.getenv('ENABLE_IMAGE_CONTENT_TYPE_EXTENSION_FALLBACK', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #12e13ddccbc593a2 Environment-variable access.
repo/backend/open_webui/env.py:947
CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE = os.getenv('CHAT_RESPONSE_STREAM_DELTA_CHUNK_SIZE', '1')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ae0eb2b34ee6805b Environment-variable access.
repo/backend/open_webui/env.py:960
CHAT_RESPONSE_MAX_TOOL_CALL_ITERATIONS = os.getenv(
    'CHAT_RESPONSE_MAX_TOOL_CALL_ITERATIONS',
    os.getenv('CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES', '256'),
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee18569e0c41e587 Environment-variable access.
repo/backend/open_webui/env.py:962
    os.getenv('CHAT_RESPONSE_MAX_TOOL_CALL_RETRIES', '256'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #946d7f3c4327e11e Environment-variable access.
repo/backend/open_webui/env.py:982
ENABLE_RESPONSES_API_STATEFUL = os.getenv('ENABLE_RESPONSES_API_STATEFUL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #bb12e8eda6bd7cee Environment-variable access.
repo/backend/open_webui/env.py:985
CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE = os.getenv('CHAT_STREAM_RESPONSE_CHUNK_MAX_BUFFER_SIZE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6dbf3f2eeb2c85a6 Environment-variable access.
repo/backend/open_webui/env.py:1001
SENTENCE_TRANSFORMERS_BACKEND = os.getenv('SENTENCE_TRANSFORMERS_BACKEND', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd8cbbd28c823147 Environment-variable access.
repo/backend/open_webui/env.py:1006
SENTENCE_TRANSFORMERS_MODEL_KWARGS = os.getenv('SENTENCE_TRANSFORMERS_MODEL_KWARGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4a901e92b4504a35 Environment-variable access.
repo/backend/open_webui/env.py:1016
SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND = os.getenv('SENTENCE_TRANSFORMERS_CROSS_ENCODER_BACKEND', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0eb3c7eac3b59b4a Environment-variable access.
repo/backend/open_webui/env.py:1021
SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS = os.getenv('SENTENCE_TRANSFORMERS_CROSS_ENCODER_MODEL_KWARGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #87a31aba1ede0e81 Environment-variable access.
repo/backend/open_webui/env.py:1034
    os.getenv('SENTENCE_TRANSFORMERS_CROSS_ENCODER_SIGMOID_ACTIVATION_FUNCTION', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3d197bc53e9aff20 Environment-variable access.
repo/backend/open_webui/env.py:1042
    os.getenv('ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #04f052856cc1d1ea Environment-variable access.
repo/backend/open_webui/env.py:1045
PIP_OPTIONS = os.getenv('PIP_OPTIONS', '').split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ee4751e05ef560c6 Environment-variable access.
repo/backend/open_webui/env.py:1046
PIP_PACKAGE_INDEX_OPTIONS = os.getenv('PIP_PACKAGE_INDEX_OPTIONS', '').split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0486190dfe26b40c Environment-variable access.
repo/backend/open_webui/env.py:1053
ENABLE_VERSION_UPDATE_CHECK = os.getenv('ENABLE_VERSION_UPDATE_CHECK', 'true').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #dd4d10f95c733d8c Environment-variable access.
repo/backend/open_webui/env.py:1054
OFFLINE_MODE = os.getenv('OFFLINE_MODE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #44c627d8d9b07752 Environment-variable access.
repo/backend/open_webui/env.py:1057
    os.environ['HF_HUB_OFFLINE'] = '1'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5fbe68e3ddb5b5f7 Environment-variable access.
repo/backend/open_webui/env.py:1064
ENABLE_PYODIDE_FILE_PERSISTENCE = os.getenv('ENABLE_PYODIDE_FILE_PERSISTENCE', 'false').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3569655562c501fe Environment-variable access.
repo/backend/open_webui/env.py:1071
ENABLE_AUDIT_STDOUT = os.getenv('ENABLE_AUDIT_STDOUT', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e12925b229ec5076 Environment-variable access.
repo/backend/open_webui/env.py:1072
ENABLE_AUDIT_LOGS_FILE = os.getenv('ENABLE_AUDIT_LOGS_FILE', 'True').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ff97e39697a7257c Environment-variable access.
repo/backend/open_webui/env.py:1077
AUDIT_LOGS_FILE_PATH = os.getenv('AUDIT_LOGS_FILE_PATH', f'{DATA_DIR}/audit.log')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e2f2e6ca5902ddc0 Environment-variable access.
repo/backend/open_webui/env.py:1079
AUDIT_LOG_FILE_ROTATION_SIZE = os.getenv('AUDIT_LOG_FILE_ROTATION_SIZE', '10MB')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #781c062300d660cf Environment-variable access.
repo/backend/open_webui/env.py:1084
AUDIT_UVICORN_LOGGER_NAMES = os.getenv('AUDIT_UVICORN_LOGGER_NAMES', 'uvicorn.access').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1f44cbb6d0d69aa0 Environment-variable access.
repo/backend/open_webui/env.py:1087
AUDIT_LOG_LEVEL = os.getenv('AUDIT_LOG_LEVEL', 'NONE').upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #14c78ab49d5f9eed Environment-variable access.
repo/backend/open_webui/env.py:1089
    MAX_BODY_LOG_SIZE = int(os.getenv('MAX_BODY_LOG_SIZE') or 2048)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6d36e21117c5e46c Environment-variable access.
repo/backend/open_webui/env.py:1094
AUDIT_EXCLUDED_PATHS = os.getenv('AUDIT_EXCLUDED_PATHS', '/chats,/chat,/folders').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c43ecdabff1f0046 Environment-variable access.
repo/backend/open_webui/env.py:1100
AUDIT_INCLUDED_PATHS = os.getenv('AUDIT_INCLUDED_PATHS', '').split(',')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4666953f3472a176 Environment-variable access.
repo/backend/open_webui/env.py:1105
ENABLE_AUDIT_GET_REQUESTS = os.getenv('ENABLE_AUDIT_GET_REQUESTS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #16ebf07c968265cb Environment-variable access.
repo/backend/open_webui/env.py:1112
ENABLE_OTEL = os.getenv('ENABLE_OTEL', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4bc4d0bc78d305c2 Environment-variable access.
repo/backend/open_webui/env.py:1113
ENABLE_OTEL_TRACES = os.getenv('ENABLE_OTEL_TRACES', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #db2291b21af98526 Environment-variable access.
repo/backend/open_webui/env.py:1114
ENABLE_OTEL_METRICS = os.getenv('ENABLE_OTEL_METRICS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e47ed30e683fd63e Environment-variable access.
repo/backend/open_webui/env.py:1115
ENABLE_OTEL_LOGS = os.getenv('ENABLE_OTEL_LOGS', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65abf716d7b011a9 Environment-variable access.
repo/backend/open_webui/env.py:1117
OTEL_EXPORTER_OTLP_ENDPOINT = os.getenv('OTEL_EXPORTER_OTLP_ENDPOINT', 'http://localhost:4317')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #cbdaf4a6a939aef5 Environment-variable access.
repo/backend/open_webui/env.py:1118
OTEL_METRICS_EXPORTER_OTLP_ENDPOINT = os.getenv('OTEL_METRICS_EXPORTER_OTLP_ENDPOINT', OTEL_EXPORTER_OTLP_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a7a040a229931140 Environment-variable access.
repo/backend/open_webui/env.py:1119
OTEL_LOGS_EXPORTER_OTLP_ENDPOINT = os.getenv('OTEL_LOGS_EXPORTER_OTLP_ENDPOINT', OTEL_EXPORTER_OTLP_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #abaf3fadd56e531e Environment-variable access.
repo/backend/open_webui/env.py:1120
OTEL_EXPORTER_OTLP_INSECURE = os.getenv('OTEL_EXPORTER_OTLP_INSECURE', 'False').lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9569e9f3537d9895 Environment-variable access.
repo/backend/open_webui/env.py:1122
    os.getenv('OTEL_METRICS_EXPORTER_OTLP_INSECURE', str(OTEL_EXPORTER_OTLP_INSECURE)).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b59c8c8a78952bf2 Environment-variable access.
repo/backend/open_webui/env.py:1125
    os.getenv('OTEL_LOGS_EXPORTER_OTLP_INSECURE', str(OTEL_EXPORTER_OTLP_INSECURE)).lower() == 'true'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a85c8b401f37b1e1 Environment-variable access.
repo/backend/open_webui/env.py:1127
OTEL_SERVICE_NAME = os.getenv('OTEL_SERVICE_NAME', 'open-webui')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #02bec92343ec9440 Environment-variable access.
repo/backend/open_webui/env.py:1128
OTEL_RESOURCE_ATTRIBUTES = os.getenv('OTEL_RESOURCE_ATTRIBUTES', '')  # e.g. key1=val1,key2=val2

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0583d0c846143c62 Environment-variable access.
repo/backend/open_webui/env.py:1129
OTEL_TRACES_SAMPLER = os.getenv('OTEL_TRACES_SAMPLER', 'parentbased_always_on').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2ccdd743be0d0d26 Environment-variable access.
repo/backend/open_webui/env.py:1130
OTEL_BASIC_AUTH_USERNAME = os.getenv('OTEL_BASIC_AUTH_USERNAME', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d84ca4df763aa1ba Environment-variable access.
repo/backend/open_webui/env.py:1131
OTEL_BASIC_AUTH_PASSWORD = os.getenv('OTEL_BASIC_AUTH_PASSWORD', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9d2972307fbdf106 Environment-variable access.
repo/backend/open_webui/env.py:1132
OTEL_METRICS_EXPORT_INTERVAL_MILLIS = int(os.getenv('OTEL_METRICS_EXPORT_INTERVAL_MILLIS', '10000'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #f7fd14b2193e7a42 Environment-variable access.
repo/backend/open_webui/env.py:1134
OTEL_METRICS_BASIC_AUTH_USERNAME = os.getenv('OTEL_METRICS_BASIC_AUTH_USERNAME', OTEL_BASIC_AUTH_USERNAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #563219f91c110913 Environment-variable access.
repo/backend/open_webui/env.py:1135
OTEL_METRICS_BASIC_AUTH_PASSWORD = os.getenv('OTEL_METRICS_BASIC_AUTH_PASSWORD', OTEL_BASIC_AUTH_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4849127da9c3db7e Environment-variable access.
repo/backend/open_webui/env.py:1136
OTEL_LOGS_BASIC_AUTH_USERNAME = os.getenv('OTEL_LOGS_BASIC_AUTH_USERNAME', OTEL_BASIC_AUTH_USERNAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e46599560647f25b Environment-variable access.
repo/backend/open_webui/env.py:1137
OTEL_LOGS_BASIC_AUTH_PASSWORD = os.getenv('OTEL_LOGS_BASIC_AUTH_PASSWORD', OTEL_BASIC_AUTH_PASSWORD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #2b054cc72f6aad6d Environment-variable access.
repo/backend/open_webui/env.py:1139
OTEL_OTLP_SPAN_EXPORTER = os.getenv('OTEL_OTLP_SPAN_EXPORTER', 'grpc').lower()  # grpc or http

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #65ce8b59e393360a Environment-variable access.
repo/backend/open_webui/env.py:1141
OTEL_METRICS_OTLP_SPAN_EXPORTER = os.getenv(
    'OTEL_METRICS_OTLP_SPAN_EXPORTER', OTEL_OTLP_SPAN_EXPORTER
).lower()  # grpc or http

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6ce7f0d2e89254a7 Environment-variable access.
repo/backend/open_webui/env.py:1145
OTEL_LOGS_OTLP_SPAN_EXPORTER = os.getenv(
    'OTEL_LOGS_OTLP_SPAN_EXPORTER', OTEL_OTLP_SPAN_EXPORTER
).lower()  # grpc or http

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #488c7a11cf7f9927 Environment-variable access.
repo/backend/open_webui/internal/db.py:242
    database_password = os.environ.get('DATABASE_PASSWORD')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #397472d4b3f94df9 Filesystem access.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:110
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #4930a7aeec3e89db Filesystem access.
repo/backend/open_webui/retrieval/loaders/datalab_marker.py:235
            with open(output_path, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #894f16e3d2a1a672 Filesystem access.
repo/backend/open_webui/retrieval/loaders/external_document.py:37
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #8bb8a207fd499d72 Filesystem access.
repo/backend/open_webui/retrieval/loaders/main.py:149
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #115176a78d77c3a5 Filesystem access.
repo/backend/open_webui/retrieval/loaders/main.py:192
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #728b28adc89bee91 Filesystem access.
repo/backend/open_webui/retrieval/loaders/main.py:294
            with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c51035c7532bb095 Filesystem access.
repo/backend/open_webui/retrieval/loaders/mineru.py:97
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #251f35e264885f28 Filesystem access.
repo/backend/open_webui/retrieval/loaders/mineru.py:298
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5e0697e271c916da Filesystem access.
repo/backend/open_webui/retrieval/loaders/mistral.py:235
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1ec23d22f1b74883 Filesystem access.
repo/backend/open_webui/retrieval/loaders/mistral.py:270
            with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #15e2ef319e9679bd Filesystem access.
repo/backend/open_webui/retrieval/loaders/mistral.py:424
        with open(self.file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81ba2cd16e36e710 Filesystem access.
repo/backend/open_webui/retrieval/loaders/paddleocr_vl.py:38
            with open(self.file_path, 'rb') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #99daa1f49f4a6ef0 Environment-variable access.
repo/backend/open_webui/retrieval/utils.py:1623
    cache_dir = os.getenv('SENTENCE_TRANSFORMERS_HOME')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #0e68e4ebd5ba4e3e Environment-variable access.
repo/backend/open_webui/retrieval/web/bing.py:68
        os.environ.get('BING_SEARCH_V7_SUBSCRIPTION_KEY', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a49a159c33ae60f0 Environment-variable access.
repo/backend/open_webui/retrieval/web/bing.py:69
        os.environ.get('BING_SEARCH_V7_ENDPOINT', 'https://api.bing.microsoft.com/v7.0/search'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #e2be1eff97995d12 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/bocha.py:46
    response = requests.post(url, headers=headers, data=payload, timeout=5)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #c5f8fa7b4c56a508 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/brave_llm_context.py:44
    response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #4ad7fae2781e5aa7 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/brave_llm_context.py:50
        response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #0a07ad84a0826439 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/exa.py:47
        response = requests.post(f'{EXA_API_BASE}/search', headers=headers, json=payload)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #947aac1bb7262a65 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/kagi.py:26
    response = requests.post(url, headers=headers, json=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d2625b1cfe292db1 Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/mojeek.py:24
    response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low egress production #d82ae36b7ef9dd7b Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/tavily.py:34
    response = requests.post(url, headers=headers, json=data)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #539ae4f1dc9751c3 Environment-variable access.
repo/backend/open_webui/retrieval/web/yandex.py:142
        os.environ.get('YANDEX_WEB_SEARCH_URL', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #262850626322f32c Environment-variable access.
repo/backend/open_webui/retrieval/web/yandex.py:143
        os.environ.get('YANDEX_WEB_SEARCH_API_KEY', ''),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7201f5892646e94a Environment-variable access.
repo/backend/open_webui/retrieval/web/yandex.py:144
        os.environ.get('YANDEX_WEB_SEARCH_CONFIG', '{"query": {"searchType": "SEARCH_TYPE_COM"}}'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress production #039c65c54d19e6ea Hardcoded external endpoint. Review what data is sent to this destination.
repo/backend/open_webui/retrieval/web/ydc.py:37
    response = requests.get(url, headers=headers, params=params)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs production #0b92687fbcf765e1 Filesystem access.
repo/backend/open_webui/routers/audio.py:681
                with open(file_path, 'rb') as audio_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #567e92ccff3c69db Filesystem access.
repo/backend/open_webui/routers/audio.py:828
    form_data.add_field('audio', open(file_path, 'rb'), filename=filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #22d67466e3a3334f Filesystem access.
repo/backend/open_webui/routers/audio.py:1005
            form_data.add_field('file', open(file_path, 'rb'), filename=filename, content_type=mime_type)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aac9f7ebe522e530 Filesystem access.
repo/backend/open_webui/routers/audio.py:1212
            with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #eaafda3b5b70442d Environment-variable access.
repo/backend/open_webui/routers/evaluations.py:65
EMBEDDING_MODEL_NAME = os.environ.get('AUXILIARY_EMBEDDING_MODEL', 'TaylorAI/bge-micro-v2')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #140032016f33c773 Filesystem access.
repo/backend/open_webui/routers/files.py:78
        with open(resolved, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #469d65baca399aff Filesystem access.
repo/backend/open_webui/routers/images.py:939
                    with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #6cb3b10ec27e66a8 Filesystem access.
repo/backend/open_webui/routers/ollama.py:1480
        with open(file_path, 'ab+') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9c7c4ac061797adf Filesystem access.
repo/backend/open_webui/routers/ollama.py:1494
                    with open(file_path, 'rb') as blob_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #5b63f0d2100a9c5a Filesystem access.
repo/backend/open_webui/routers/ollama.py:1560
        with open(file_path, 'wb') as out_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fb13ddca1211aa10 Filesystem access.
repo/backend/open_webui/routers/ollama.py:1579
            with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9170020f533b99cb Filesystem access.
repo/backend/open_webui/routers/ollama.py:1588
                with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #121941f7fbcdd11d Filesystem access.
repo/backend/open_webui/routers/openai.py:400
            with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #ac5590ae96bb02ee Filesystem access.
repo/backend/open_webui/routers/openai.py:404
            with open(file_body_path, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e0891aa9cad3f971 Filesystem access.
repo/backend/open_webui/routers/pipelines.py:242
            with open(file_path, 'wb') as buffer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #9f2aa02950028071 Filesystem access.
repo/backend/open_webui/routers/pipelines.py:252
            with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #7a348f5aa727da0c Environment-variable access.
repo/backend/open_webui/routers/retrieval.py:1567
            cache_dir=os.getenv('SENTENCE_TRANSFORMERS_HOME') or os.getenv('HF_HUB_CACHE'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #773b986a3b2061a4 Filesystem access.
repo/backend/open_webui/storage/provider.py:65
        with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #a8f33a880ccd051f Filesystem access.
repo/backend/open_webui/storage/provider.py:303
            with open(local_file_path, 'wb') as download_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #e1ecd5090281b7f9 Filesystem access.
repo/backend/open_webui/utils/auth.py:81
    with open(file_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #3bc66102208e2d71 Environment-variable access.
repo/backend/open_webui/utils/automations.py:43
SCHEDULER_POLL_INTERVAL = int(os.getenv('SCHEDULER_POLL_INTERVAL', os.getenv('AUTOMATION_POLL_INTERVAL', '10')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #81916efa385670c8 Environment-variable access.
repo/backend/open_webui/utils/automations.py:44
CALENDAR_ALERT_LOOKAHEAD_MINUTES = int(os.getenv('CALENDAR_ALERT_LOOKAHEAD_MINUTES', '10'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #82ac7e1fceddb33f Filesystem access.
repo/backend/open_webui/utils/files.py:203
            with open(file_path, 'rb') as image_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #c48699911465f42b Filesystem access.
repo/backend/open_webui/utils/misc.py:678
    with open(file_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #de920632e1f7afa1 Filesystem access.
repo/backend/open_webui/utils/pdf_generator.py:30
        self.css = Path(STATIC_DIR / 'assets' / 'pdf-style.css').read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #d0fe27b78a08b050 Filesystem access.
repo/backend/open_webui/utils/plugin.py:231
        with open(temp_file.name, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #1a92f3b73fd3480e Filesystem access.
repo/backend/open_webui/utils/plugin.py:276
        with open(temp_file.name, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #b3d1723e8933511d Environment-variable access.
repo/backend/open_webui/utils/security_headers.py:63
        value = os.environ.get(env_var, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #fd0cf760cbcede74 Filesystem access.
repo/contribution_stats.py:11
        with open(filepath, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs production #aad02f37af6433ef Environment-variable access.
repo/hatch_build.py:20
        os.environ['APP_BUILD_HASH'] = version

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

first-party (python): backend/open_webui/utils/telemetry

python first-party
medium telemetry production #c81d1cc5cd49c869 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/constants.py:1
from opentelemetry.semconv._incubating.attributes import (
    db_attributes as _db,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #69fc0d43e8d19a9d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/constants.py:4
from opentelemetry.semconv._incubating.attributes import (
    http_attributes as _http,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #bca595af6da85787 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:12
from opentelemetry.instrumentation.aiohttp_client import AioHttpClientInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #655a31d1122a40d9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:13
from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #576e40e727ba81d6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:14
from opentelemetry.instrumentation.httpx import (
    HTTPXClientInstrumentor,
    RequestInfo,
    ResponseInfo,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9675a3a68ca71716 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:19
from opentelemetry.instrumentation.instrumentor import BaseInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #6cdd4d706eaebe4e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:20
from opentelemetry.instrumentation.logging import LoggingInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #114614a1a18a574d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:21
from opentelemetry.instrumentation.redis import RedisInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a41262cf50c17c30 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:22
from opentelemetry.instrumentation.requests import RequestsInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #9447911c06699dd7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:23
from opentelemetry.instrumentation.sqlalchemy import SQLAlchemyInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #d09b3776ce124d09 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:24
from opentelemetry.instrumentation.system_metrics import SystemMetricsInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a9f7be82d9d66e0c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/instrumentors.py:25
from opentelemetry.trace import Span, StatusCode

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b9f629b0593ab581 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:12
from opentelemetry._logs import set_logger_provider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #1731c8915514dfc0 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:13
from opentelemetry.exporter.otlp.proto.grpc._log_exporter import OTLPLogExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #b4971abf30c7fdda Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:14
from opentelemetry.exporter.otlp.proto.http._log_exporter import (
    OTLPLogExporter as HttpOTLPLogExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #65ac96bba2d595b7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:17
from opentelemetry.sdk._logs import (
    LoggerProvider,
    LoggingHandler,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efd1ccc1ed78128e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:21
from opentelemetry.sdk._logs.export import BatchLogRecordProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #a4d84a9e80482a85 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/logs.py:22
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cb2be3cfb7333947 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:37
from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #260c8f89dfe85bf1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:38
from opentelemetry.exporter.otlp.proto.grpc.metric_exporter import (
    OTLPMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #e9c804d968abdaec Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:41
from opentelemetry.exporter.otlp.proto.http.metric_exporter import (
    OTLPMetricExporter as OTLPHttpMetricExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #cdfc5cee81d04e32 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:44
from opentelemetry.sdk.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #8fef32d25da6162e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:45
from opentelemetry.sdk.metrics.export import (
    PeriodicExportingMetricReader,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #240d97ee3785058f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:48
from opentelemetry.sdk.metrics.view import View

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7f096d3969aa4714 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/metrics.py:49
from opentelemetry.sdk.resources import Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7b85ae5efac38004 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:16
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #526c1ef042f79dc4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:17
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #7c7cab1295fbd2ca Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:18
from opentelemetry.exporter.otlp.proto.http.trace_exporter import (
    OTLPSpanExporter as HttpOTLPSpanExporter,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #ec026d8cca3d4629 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:21
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #efff5f43f51a40c9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:22
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry production #562569bfdf2f875c Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
repo/backend/open_webui/utils/telemetry/setup.py:23
from opentelemetry.sdk.trace.export import BatchSpanProcessor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

</> Dependencies

transformers

python dependency
high pii_flow dependency Excluded from app score #a65f16e7b0f6595a User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2493 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2466 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2493
            req = urllib.request.Request(url, data=data, headers=headers, method="POST")

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #d802894c2cd8b7a6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2494 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2466 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2494
            with urllib.request.urlopen(req, timeout=5, context=self._get_ssl_context()) as resp:

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #366e1e032eb75022 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/transformers/utils/hub.py:163 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/transformers/utils/hub.py:163 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/transformers/utils/hub.py:163
        instance_data = httpx.get(os.environ["ECS_CONTAINER_METADATA_URI"]).json()

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry dependency Excluded from app score #274b9aba92ef46e7 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/transformers/utils/metrics.py:24
    from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #95bdd26ba67bdc0b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/transformers/utils/metrics.py:25
    from opentelemetry.trace import Status, StatusCode, get_tracer

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 374 low-confidence finding(s)
low env_fs dependency Excluded from app score #0c7612c36315ecae Filesystem access.
pkgs/python/[email protected]/setup.py:310
        with open(target, "w", encoding="utf-8", newline="\n") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9c0997a6a33f6cf Filesystem access.
pkgs/python/[email protected]/setup.py:330
        long_description=open("README.md", "r", encoding="utf-8").read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4274c6e2e6d5f039 Filesystem access.
pkgs/python/[email protected]/src/transformers/audio_utils.py:182
            with open(audio, "rb") as audio_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #558d690bc07fceab Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:168
    with open(file_name, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afcfb7dbe6511d0d Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:174
    with open(file_name, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5574845930eda289 Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:230
            file = (repo_path / "src" / "transformers" / "models" / "auto" / filename).read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbfd3c096243e02a Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:316
    with open(toc_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #248ffaf6e48f5c61 Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:372
    with open(module_name, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aaea419b1a80765 Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:497
            with open(original_test_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3323978445b5e22f Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:547
    with open(new_module_folder / f"modular_{new_lowercase_name}.py", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9691ce463402b03d Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:552
    with open(new_module_folder / "__init__.py", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc37320dfc1fdd84 Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:569
    with open(tests_folder / "__init__.py", "w"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e34b889726b7fb90 Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:573
        with open(tests_folder / filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #057e0796b86d0cec Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/add_new_model_like.py:578
    with open(repo_path / "docs" / "source" / "en" / "model_doc" / f"{new_lowercase_name}.md", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2fc4ff67f28146a Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/chat.py:361
            with open(examples_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #938721bec315ed89 Filesystem access.
pkgs/python/[email protected]/src/transformers/cli/chat.py:657
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #322941c5ff94cde5 Filesystem access.
pkgs/python/[email protected]/src/transformers/configuration_utils.py:870
        with open(json_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d06fe1d44ec28c95 Filesystem access.
pkgs/python/[email protected]/src/transformers/configuration_utils.py:1071
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8402e4828549386e Filesystem access.
pkgs/python/[email protected]/src/transformers/convert_slow_tokenizer.py:159
        with open(model, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #458efcef22e7c5df Filesystem access.
pkgs/python/[email protected]/src/transformers/convert_slow_tokenizer.py:706
        with open(self.original_tokenizer.vocab_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16f71e11f4089b28 Filesystem access.
pkgs/python/[email protected]/src/transformers/convert_slow_tokenizer.py:1708
        with open(vocab_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #195037c1de387af1 Filesystem access.
pkgs/python/[email protected]/src/transformers/convert_slow_tokenizer.py:1748
        with open(vocab_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04d7f6030c33a21b Filesystem access.
pkgs/python/[email protected]/src/transformers/convert_slow_tokenizer.py:1838
        with open(vocab_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb0a7e8421f4d3f0 Filesystem access.
pkgs/python/[email protected]/src/transformers/convert_slow_tokenizer.py:1998
        with open(self.vocab_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8056ecf6141dac4a Filesystem access.
pkgs/python/[email protected]/src/transformers/data/metrics/squad_metrics.py:576
        with open(output_prediction_file, "w") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34ea4bd5f0ea0ce9 Filesystem access.
pkgs/python/[email protected]/src/transformers/data/metrics/squad_metrics.py:580
        with open(output_nbest_file, "w") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c71a3d27564bdff5 Filesystem access.
pkgs/python/[email protected]/src/transformers/data/metrics/squad_metrics.py:584
        with open(output_null_log_odds_file, "w") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77b3571df0c47948 Filesystem access.
pkgs/python/[email protected]/src/transformers/data/metrics/squad_metrics.py:769
    with open(output_prediction_file, "w") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #200a5f969d813925 Filesystem access.
pkgs/python/[email protected]/src/transformers/data/metrics/squad_metrics.py:772
    with open(output_nbest_file, "w") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75a9c6a463818165 Filesystem access.
pkgs/python/[email protected]/src/transformers/data/metrics/squad_metrics.py:776
        with open(output_null_log_odds_file, "w") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #918d66f3e88ddaae Filesystem access.
pkgs/python/[email protected]/src/transformers/data/processors/squad.py:515
        with open(
            os.path.join(data_dir, self.train_file if filename is None else filename), "r", encoding="utf-8"
        ) as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64fc82a842adedcb Filesystem access.
pkgs/python/[email protected]/src/transformers/data/processors/squad.py:536
        with open(
            os.path.join(data_dir, self.dev_file if filename is None else filename), "r", encoding="utf-8"
        ) as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f74a9d6b2cac1846 Filesystem access.
pkgs/python/[email protected]/src/transformers/data/processors/utils.py:119
        with open(input_file, "r", encoding="utf-8-sig") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31b79a69ee772e8c Filesystem access.
pkgs/python/[email protected]/src/transformers/distributed/configuration_utils.py:62
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f74ed5c312bf2a60 Filesystem access.
pkgs/python/[email protected]/src/transformers/dynamic_module_utils.py:133
    with open(module_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a60928bbffb81f2 Filesystem access.
pkgs/python/[email protected]/src/transformers/dynamic_module_utils.py:186
    with open(filename, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4df8b2fd0798c08d Filesystem access.
pkgs/python/[email protected]/src/transformers/dynamic_module_utils.py:298
        module_hash: str = hashlib.sha256(b"".join(bytes(f) + f.read_bytes() for f in module_files)).hexdigest()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da258d797fa6ca29 Filesystem access.
pkgs/python/[email protected]/src/transformers/dynamic_module_utils.py:773
        with open(requirements, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e12d41bf52436b7 Filesystem access.
pkgs/python/[email protected]/src/transformers/feature_extraction_utils.py:611
        with open(json_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8a7cd475d3480be Filesystem access.
pkgs/python/[email protected]/src/transformers/feature_extraction_utils.py:639
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecdc24652445b656 Filesystem access.
pkgs/python/[email protected]/src/transformers/generation/configuration_utils.py:995
        with open(json_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71faa7f9da1e8cf5 Filesystem access.
pkgs/python/[email protected]/src/transformers/generation/configuration_utils.py:1156
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d28bde982086ba10 Filesystem access.
pkgs/python/[email protected]/src/transformers/generation/configuration_utils.py:1276
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #849e9f7594d38b39 Environment-variable access.
pkgs/python/[email protected]/src/transformers/generation/utils.py:2041
            os.environ["TOKENIZERS_PARALLELISM"] = "0"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b3325ed153d900f Filesystem access.
pkgs/python/[email protected]/src/transformers/hf_argparser.py:333
                    file_args += args_file.read_text().split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3a811cbcc5652fb Filesystem access.
pkgs/python/[email protected]/src/transformers/hf_argparser.py:403
        with open(Path(json_file), encoding="utf-8") as open_json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a86dc96379d2e542 Filesystem access.
pkgs/python/[email protected]/src/transformers/hf_argparser.py:425
        outputs = self.parse_dict(yaml.safe_load(Path(yaml_file).read_text()), allow_extra_keys=allow_extra_keys)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e479b3c81ec84d70 Filesystem access.
pkgs/python/[email protected]/src/transformers/image_processing_base.py:417
        with open(json_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #593b9b8e1d207641 Filesystem access.
pkgs/python/[email protected]/src/transformers/image_processing_base.py:445
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ebe687c65aca2855 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/accelerate.py:114
                local_rank = int(os.environ.get("LOCAL_RANK", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6b10b0d1288e026 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/fsdp.py:51
            and strtobool(os.environ.get("ACCELERATE_USE_FSDP", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #793ab721f463688a Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/fsdp.py:52
            and strtobool(os.environ.get("FSDP_CPU_RAM_EFFICIENT_LOADING", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25e39930c5f6cf09 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/hub_kernels.py:59
    _TRANSFORMERS_USE_HUB_KERNELS = os.environ.get("USE_HUB_KERNELS", "YES").upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b60b113ed3cb589 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:39
if os.getenv("WANDB_MODE") == "offline":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #494e1f583d296674 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:175
    if os.getenv("DISABLE_MLFLOW_INTEGRATION", "FALSE").upper() == "TRUE":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66c18ca1bf6e41ab Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:211
    if os.getenv("DISABLE_KUBEFLOW_INTEGRATION", "FALSE").upper() == "TRUE":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ef63adccaead769 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:213
    return os.getenv("KUBEFLOW_TRAINER_SERVER_URL") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd9b6f2cae519e3d Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:435
    ray_scope = os.getenv("RAY_SCOPE", "last")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #239691d487850a39 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:601
        self.logging_dir = os.getenv("TENSORBOARD_LOGGING_DIR", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53b5a2bfd144d8bd Filesystem access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:663
    with open(f"{output_dir}/model_architecture.txt", "w+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39145361ac335f71 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:708
        self._log_model = WandbLogModel(os.getenv("WANDB_LOG_MODEL", "false"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #570355b6de285fc1 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:762
                    project=os.getenv("WANDB_PROJECT", "huggingface"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b8360429639b58d Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:774
            _watch_model = os.getenv("WANDB_WATCH", "false")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b995d9ca8c1c1f8 Filesystem access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:814
                                fa.write(f.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4042548d60f540e6 Filesystem access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:877
                            fa.write(f.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eea37b5ab8c9bbc3 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1102
        log_assets = os.getenv("COMET_LOG_ASSETS", "FALSE").upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29b00e3ef70e17a6 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1106
            comet_old_mode = os.getenv("COMET_MODE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c724a25f1b988622 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1266
        self._log_artifacts = os.getenv("HF_MLFLOW_LOG_ARTIFACTS", "FALSE").upper() in ENV_VARS_TRUE_VALUES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f11e96168f432b6 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1267
        self._nested_run = os.getenv("MLFLOW_NESTED_RUN", "FALSE").upper() in ENV_VARS_TRUE_VALUES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac74236b68fcdb3e Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1268
        self._tracking_uri = os.getenv("MLFLOW_TRACKING_URI", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39755e610e294691 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1269
        self._experiment_name = os.getenv("MLFLOW_EXPERIMENT_NAME", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08ffad5e637cb044 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1270
        self._flatten_params = os.getenv("MLFLOW_FLATTEN_PARAMS", "FALSE").upper() in ENV_VARS_TRUE_VALUES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f8d0fd174e14849d Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1271
        self._run_id = os.getenv("MLFLOW_RUN_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #454e37ecac1cdefa Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1272
        self._max_log_params = os.getenv("MLFLOW_MAX_LOG_PARAMS", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3da65dc7e5bbfe7 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1335
            mlflow_tags = os.getenv("MLFLOW_TAGS", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8ec7a3adfe4cf1b Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1419
        self.log_artifacts = os.getenv("HF_DAGSHUB_LOG_ARTIFACTS", "FALSE").upper() in ENV_VARS_TRUE_VALUES

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c75becdde673a55c Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1420
        self.name = os.getenv("HF_DAGSHUB_MODEL_NAME") or "main"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fd00ae369be6078 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1421
        self.remote = os.getenv("MLFLOW_TRACKING_URI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf5b4c02f04919cb Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1425
            branch=os.getenv("BRANCH") or "main",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c05504c540ebabed Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1840
                    self._log_model = os.getenv(
                        "CLEARML_LOG_MODEL",
                        "FALSE" if not ClearMLCallback._task_created_in_callback else "TRUE",
                    ).upper() in ENV_VARS_TRUE_VALUES.union({"TRUE"})

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f759a689dfb95af Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1847
                        project_name=os.getenv("CLEARML_PROJECT", "HuggingFace Transformers"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e84965ad6ef9be3 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1848
                        task_name=os.getenv("CLEARML_TASK", "Trainer"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a0e61e064381dc5 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:1852
                    self._log_model = os.getenv("CLEARML_LOG_MODEL", "TRUE").upper() in ENV_VARS_TRUE_VALUES.union(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df63f014ec5ba9e7 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2121
            log_model_env = os.getenv("HF_DVCLIVE_LOG_MODEL", "FALSE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5af2e8ad263c997d Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2203
        self._log_model = os.getenv("SWANLAB_LOG_MODEL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89f6ad0bff163866 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2274
            init_args["project"] = os.getenv("SWANLAB_PROJECT", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6ccfe7913dca6e7 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2276
            run_id = os.getenv("SWANLAB_RUN_ID", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b178f4824428bf8f Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2280
            resume = os.getenv("SWANLAB_RESUME", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6b5177df0b583b2 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2426
        ca_file = os.environ.get(self._ENV_CA_CERT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aea2b83c3fb18400 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2444
        token_path = os.environ.get(self._ENV_TOKEN_PATH)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff957b1141223d65 Filesystem access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2450
            with open(token_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18dd9dc4a2139ba7 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/integration_utils.py:2466
            url = os.environ.get(self._ENV_SERVER_URL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bf5791b4a7e6b35 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/mxfp4.py:440
        rank = int(os.environ.get("LOCAL_RANK", "0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9384c7634fc23603 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/npu_flash_attention.py:30
SPARSE_MODE = int(os.getenv("NPU_FA2_SPARSE_MODE", default=DOWN_RIGHT_ALIGNED_CAUSAL_MASK_MODE))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fe38edadc5b8171 Filesystem access.
pkgs/python/[email protected]/src/transformers/integrations/peft.py:1009
        with open(_adapter_model_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06de75fb32e00b35 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/tensor_parallel.py:62
                rank = int(os.environ["RANK"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c92b75a772873ff7 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/tensor_parallel.py:63
                local_rank = int(os.environ["LOCAL_RANK"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51f5b9306e481f3e Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/tensor_parallel.py:64
                world_size = int(os.environ["WORLD_SIZE"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #218675e4ab6460c6 Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/tensor_parallel.py:81
            current_device.set_device(int(os.environ["LOCAL_RANK"]))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fced2e1342a422ff Environment-variable access.
pkgs/python/[email protected]/src/transformers/integrations/tensor_parallel.py:100
        device_map = torch.device(f"{device_mesh.device_type}:{int(os.environ['LOCAL_RANK'])}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a14ac437401b4fdb Filesystem access.
pkgs/python/[email protected]/src/transformers/model_debugging_utils.py:243
    with open(full_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3d358e8eae20418 Filesystem access.
pkgs/python/[email protected]/src/transformers/model_debugging_utils.py:266
    with open(summary_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a264bfe1dec1eebc Environment-variable access.
pkgs/python/[email protected]/src/transformers/modeling_flash_attention_utils.py:636
            deterministic if deterministic is not None else os.getenv("FLASH_ATTENTION_DETERMINISTIC", "0") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4528a303d7620e1f Environment-variable access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:153
XLA_USE_BF16 = os.environ.get("XLA_USE_BF16", "0").upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b50606fa47961126 Environment-variable access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:154
XLA_DOWNCAST_BF16 = os.environ.get("XLA_DOWNCAST_BF16", "0").upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a96833c2e301331a Environment-variable access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:191
        and int(os.environ.get("LOCAL_RANK", "-1")) == 0

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #167f3929c077cf06 Filesystem access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:1957
        with open(class_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ace3a281d4cd3867 Filesystem access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:1976
        with open(class_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #151edd5736082bb4 Filesystem access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:3430
            with open(save_index_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a42c75b030398975 Environment-variable access.
pkgs/python/[email protected]/src/transformers/modeling_utils.py:3975
        if device_map == "auto" and int(os.environ.get("WORLD_SIZE", "0")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b58d571ee28ff33b Filesystem access.
pkgs/python/[email protected]/src/transformers/models/auto/auto_factory.py:304
                with open(maybe_adapter_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a890bb30ac2f10a Filesystem access.
pkgs/python/[email protected]/src/transformers/models/auto/processing_auto.py:375
                with open(tokenizer_config_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d94700f9cf110ddf Filesystem access.
pkgs/python/[email protected]/src/transformers/models/auto/tokenization_auto.py:391
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c50a59473db179bd Filesystem access.
pkgs/python/[email protected]/src/transformers/models/auto/tokenization_auto.py:398
    with open(merges_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f06fd647d7abe9da Filesystem access.
pkgs/python/[email protected]/src/transformers/models/auto/tokenization_auto.py:550
    with open(resolved_config_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbf2550825340e3b Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bark/processing_bark.py:101
                with open(speaker_embeddings_path) as speaker_embeddings_json:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dcbf2f74462e145c Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bark/processing_bark.py:164
            with open(os.path.join(save_directory, speaker_embeddings_dict_path), "w") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #956cd66716cd6ef3 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bartpho/tokenization_bartpho.py:133
        with open(monolingual_vocab_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43324d13285a9ab3 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bartpho/tokenization_bartpho.py:306
            with open(out_vocab_file, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbd9becdc934f999 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bartpho/tokenization_bartpho.py:315
            with open(out_monolingual_vocab_file, "w", encoding="utf-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb543c0037a43e83 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bert/tokenization_bert.py:33
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #218e2f11fabba110 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bert/tokenization_bert_legacy.py:32
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f027b8ff73ee7226 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bert/tokenization_bert_legacy.py:245
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81d0b257c1595f93 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bert_japanese/tokenization_bert_japanese.py:41
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50809ffb6c309423 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bert_japanese/tokenization_bert_japanese.py:278
            with open(vocab_file, "wb") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f4856c31b0de667 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bert_japanese/tokenization_bert_japanese.py:282
            with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7877501cdbd1a43 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bertweet/tokenization_bertweet.py:142
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #036665b3152ed3f6 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bertweet/tokenization_bertweet.py:316
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c8a5eb9cf492984 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bertweet/tokenization_bertweet.py:324
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c187f00eb1a2d3b1 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/bertweet/tokenization_bertweet.py:338
                with open(f, "r", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05c7a0f839b92e3d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/biogpt/tokenization_biogpt.py:116
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2a05ec9f2ca4dc8 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/biogpt/tokenization_biogpt.py:119
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a02f837db2736c8 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/biogpt/tokenization_biogpt.py:293
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a52b2e78bbf22ff4 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/biogpt/tokenization_biogpt.py:297
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #854c4b6ecbd09649 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/blenderbot_small/tokenization_blenderbot_small.py:89
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ed2267fb209725d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/blenderbot_small/tokenization_blenderbot_small.py:92
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fecefe5381418780 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/blenderbot_small/tokenization_blenderbot_small.py:203
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5549abc85dce427 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/blenderbot_small/tokenization_blenderbot_small.py:207
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e976845c480c9308 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/clvp/tokenization_clvp.py:149
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7bde41a08ff61e1 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/clvp/tokenization_clvp.py:155
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7d2b00c5ff32e38 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/cpm/tokenization_cpm.py:324
            with open(out_vocab_file, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43e3b0730b69764d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/cpmant/tokenization_cpmant.py:37
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #267fc7e966b2c87d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/cpmant/tokenization_cpmant.py:219
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #336ee64569683d30 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/ctrl/tokenization_ctrl.py:128
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f687c09c7f79709c Filesystem access.
pkgs/python/[email protected]/src/transformers/models/ctrl/tokenization_ctrl.py:131
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4611909249ce8a5e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/esm/openfold_utils/residue_constants.py:417
    stereo_chemical_props = resources.read_text("openfold.resources", "stereo_chemical_props.txt")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #361ce8fc93838a4d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/esm/tokenization_esm.py:28
    with open(vocab_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21c7923288ff378c Filesystem access.
pkgs/python/[email protected]/src/transformers/models/esm/tokenization_esm.py:136
        with open(vocab_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54785bbdca687bac Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fastspeech2_conformer/tokenization_fastspeech2_conformer.py:65
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9836d0a788a6ea0e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fastspeech2_conformer/tokenization_fastspeech2_conformer.py:163
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff803c69104146b5 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/flaubert/tokenization_flaubert.py:237
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7e3b0bd5094d53e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/flaubert/tokenization_flaubert.py:240
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f98dc6953e1e532e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/flaubert/tokenization_flaubert.py:498
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a218063d12c3f7ec Filesystem access.
pkgs/python/[email protected]/src/transformers/models/flaubert/tokenization_flaubert.py:502
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12e808882f60291e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fsmt/tokenization_fsmt.py:204
        with open(src_vocab_file, encoding="utf-8") as src_vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da77a09db1b73523 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fsmt/tokenization_fsmt.py:206
        with open(tgt_vocab_file, encoding="utf-8") as tgt_vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73d0a161af6f0583 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fsmt/tokenization_fsmt.py:209
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f7a2d12aad395e4 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fsmt/tokenization_fsmt.py:446
        with open(src_vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f102edcfa7cd867 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fsmt/tokenization_fsmt.py:449
        with open(tgt_vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f27cb1dcfff2180 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/fsmt/tokenization_fsmt.py:454
        with open(merges_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4296ead70076e0b Filesystem access.
pkgs/python/[email protected]/src/transformers/models/gpt_neox_japanese/tokenization_gpt_neox_japanese.py:35
    with open(emoji_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c79d99dc09327ae Filesystem access.
pkgs/python/[email protected]/src/transformers/models/gpt_neox_japanese/tokenization_gpt_neox_japanese.py:41
    with open(vocab_file, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9bd9d1f6974b7d8 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/gpt_neox_japanese/tokenization_gpt_neox_japanese.py:180
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3575c1bf8938f70d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/gpt_neox_japanese/tokenization_gpt_neox_japanese.py:190
        with open(emoji_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c2474e0c801eb68 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/luke/tokenization_luke.py:287
            with open(entity_vocab_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd8941554751fd62 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/m2m_100/tokenization_m2m_100.py:311
            with open(spm_save_path, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1a36056e4825aea Filesystem access.
pkgs/python/[email protected]/src/transformers/models/m2m_100/tokenization_m2m_100.py:375
    with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a87b338b6ddd2d11 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/m2m_100/tokenization_m2m_100.py:380
    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c052295f82fd8e23 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/marian/tokenization_marian.py:352
                with open(spm_save_path, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3483c914d734082d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/marian/tokenization_marian.py:416
    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08c3a1ecb76fcfe8 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/marian/tokenization_marian.py:421
    with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e26c3c12595e287 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/megatron_gpt2/checkpoint_reshaping_and_interoperability.py:598
        with open(save_index_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c7ef6685aa51848 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/megatron_gpt2/checkpoint_reshaping_and_interoperability.py:651
    with open(tracker_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01aeaec2d1ccdcae Filesystem access.
pkgs/python/[email protected]/src/transformers/models/mgp_str/tokenization_mgp_str.py:53
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #605b839fd38a3f9c Filesystem access.
pkgs/python/[email protected]/src/transformers/models/mgp_str/tokenization_mgp_str.py:97
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecfee571c68c5279 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/mluke/tokenization_mluke.py:308
            with open(entity_vocab_file, encoding="utf-8") as entity_vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a19e58f87298a280 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/mluke/tokenization_mluke.py:1713
        with open(entity_vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7c91049467646ea Filesystem access.
pkgs/python/[email protected]/src/transformers/models/myt5/tokenization_myt5.py:46
            with open(rewriting_rules, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61e3cabdf702ef71 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/myt5/tokenization_myt5.py:195
        self.byte_maps = json.load(open(vocab_file, "r"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82bf585e428929d6 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/myt5/tokenization_myt5.py:373
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b096cc9f2776e551 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/oneformer/image_processing_oneformer.py:109
    with open(fname, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69d318a30c9868a2 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/oneformer/image_processing_pil_oneformer.py:240
    with open(fname, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4d7a7d0fb418f68 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/phobert/tokenization_phobert.py:126
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc6eadd23e0b527c Filesystem access.
pkgs/python/[email protected]/src/transformers/models/phobert/tokenization_phobert.py:310
            with open(out_vocab_file, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be6546e86f9a5c5b Filesystem access.
pkgs/python/[email protected]/src/transformers/models/phobert/tokenization_phobert.py:331
                with open(f, "r", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72e70f429b6154e5 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/pop2piano/tokenization_pop2piano.py:111
        with open(vocab, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b840dc7259e9d9bf Filesystem access.
pkgs/python/[email protected]/src/transformers/models/pop2piano/tokenization_pop2piano.py:358
        with open(out_vocab_file, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74b17b1c168de459 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/prophetnet/tokenization_prophetnet.py:259
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea7d275cba69d5ba Filesystem access.
pkgs/python/[email protected]/src/transformers/models/prophetnet/tokenization_prophetnet.py:438
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e36231d34024b96 Environment-variable access.
pkgs/python/[email protected]/src/transformers/models/rag/retrieval_rag.py:134
        if not strtobool(os.environ.get("TRUST_REMOTE_CODE", "False")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9c2a1b83e704f48 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/rag/retrieval_rag.py:141
        with open(passages_path, "rb") as passages_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d31d4ed56864280f Environment-variable access.
pkgs/python/[email protected]/src/transformers/models/rag/retrieval_rag.py:150
        if not strtobool(os.environ.get("TRUST_REMOTE_CODE", "False")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99b0b6569f8923bf Filesystem access.
pkgs/python/[email protected]/src/transformers/models/rag/retrieval_rag.py:157
        with open(resolved_meta_path, "rb") as metadata_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4824e5928b436d83 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/roc_bert/tokenization_roc_bert.py:52
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f22d5db936f6e3fd Filesystem access.
pkgs/python/[email protected]/src/transformers/models/roc_bert/tokenization_roc_bert.py:139
        with open(word_shape_file, "r", encoding="utf8") as in_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5835ab0f9dd02e1c Filesystem access.
pkgs/python/[email protected]/src/transformers/models/roc_bert/tokenization_roc_bert.py:142
        with open(word_pronunciation_file, "r", encoding="utf8") as in_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac39c0ff51a20d82 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/roc_bert/tokenization_roc_bert.py:1077
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8959b95888cd0804 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/roc_bert/tokenization_roc_bert.py:1088
        with open(word_shape_file, "w", encoding="utf8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bce3e30750f8afb2 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/roc_bert/tokenization_roc_bert.py:1091
        with open(word_pronunciation_file, "w", encoding="utf8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c88dcb966797dcfd Filesystem access.
pkgs/python/[email protected]/src/transformers/models/siglip/tokenization_siglip.py:345
            with open(out_vocab_file, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79d01c2e7087a7d5 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/speech_to_text/tokenization_speech_to_text.py:271
            with open(spm_save_path, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3135bbb60d33baa0 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/speech_to_text/tokenization_speech_to_text.py:285
    with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0d7fdb4cb226b65 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/speech_to_text/tokenization_speech_to_text.py:290
    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7072b3885b2ccd81 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/splinter/tokenization_splinter.py:33
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1706dc5f9bb76dd Filesystem access.
pkgs/python/[email protected]/src/transformers/models/tapas/tokenization_tapas.py:91
    with open(vocab_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50871f3eda287642 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/tapas/tokenization_tapas.py:394
        with open(vocab_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b08147b411cf5896 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/vits/tokenization_vits.py:83
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62dc8e50c00ec763 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/vits/tokenization_vits.py:242
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f57672c3ddbd8bf0 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/wav2vec2/tokenization_wav2vec2.py:154
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb1775e931deb50a Filesystem access.
pkgs/python/[email protected]/src/transformers/models/wav2vec2/tokenization_wav2vec2.py:647
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c84de8bd2d762215 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/wav2vec2_phoneme/tokenization_wav2vec2_phoneme.py:129
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #755c3d96208be759 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/wav2vec2_phoneme/tokenization_wav2vec2_phoneme.py:565
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e572a34d33e0ce08 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/whisper/tokenization_whisper.py:266
            with open(normalizer_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce7f63b7900c2f03 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/whisper/tokenization_whisper.py:560
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a309b636ff2e04e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/whisper/tokenization_whisper.py:563
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #946247ed67779c7e Filesystem access.
pkgs/python/[email protected]/src/transformers/models/whisper/tokenization_whisper.py:568
            with open(normalizer_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbd45922123eed86 Filesystem access.
pkgs/python/[email protected]/src/transformers/models/xlm/tokenization_xlm.py:244
        with open(vocab_file, encoding="utf-8") as vocab_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #919da6db43b0977d Filesystem access.
pkgs/python/[email protected]/src/transformers/models/xlm/tokenization_xlm.py:247
        with open(merges_file, encoding="utf-8") as merges_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bec3c2bd792a57f Filesystem access.
pkgs/python/[email protected]/src/transformers/models/xlm/tokenization_xlm.py:541
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36960e2253df471b Filesystem access.
pkgs/python/[email protected]/src/transformers/models/xlm/tokenization_xlm.py:545
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b11f79ab0ca28460 Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/__init__.py:694
                with open(maybe_adapter_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f8da71fa4f4a5df Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/audio_classification.py:174
                with open(inputs, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9affb476cfbf5a6f Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/automatic_speech_recognition.py:348
                with open(inputs, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c727422a1531f8d Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:454
        with open(binary_path, "wb+") as f_output:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #277c7ffce39895cf Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:517
        with open(self.input_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54cdcb7d6aa9a906 Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:532
        with open(self.output_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9832698f22fac70 Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:560
        with open(input_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12e27f9cc9d7446d Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:577
        with open(self.output_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d2e584740658e1b Environment-variable access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:1181
        if "TOKENIZERS_PARALLELISM" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #467d664fd1a34725 Environment-variable access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:1183
            os.environ["TOKENIZERS_PARALLELISM"] = "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fad2ef8f27b93318 Environment-variable access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:1301
        if "TOKENIZERS_PARALLELISM" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92e0a8a6202d62c5 Environment-variable access.
pkgs/python/[email protected]/src/transformers/pipelines/base.py:1303
            os.environ["TOKENIZERS_PARALLELISM"] = "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59fbd312d22d4e50 Filesystem access.
pkgs/python/[email protected]/src/transformers/pipelines/zero_shot_audio_classification.py:111
                with open(audio, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c494578713f93e7 Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:791
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95d472f4b9605596 Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:871
            with open(output_chat_template_file_jinja, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a70453665eb13fcb Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:879
                    with open(output_chat_template_file_jinja, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bc15df5a86889b7 Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:885
                    with open(template_filepath, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4420a183b2766ce Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:1073
            with open(resolved_chat_template_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62623370de696e8f Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:1085
                template_name: open(template_file, "r", encoding="utf-8").read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #966c016a5204a22c Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:1089
                with open(resolved_raw_chat_template_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d324afc8989046eb Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:1104
                with open(resolved_processor_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #058c85e81f6d86db Filesystem access.
pkgs/python/[email protected]/src/transformers/processing_utils.py:1130
                reader = open(resolved_audio_tokenizer_file, "r", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2fb1de799494409 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:252
        value = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a225e7ab423c97b5 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:268
        value = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc465b12ade69dfc Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:983
    if "TRANSFORMERS_TEST_BACKEND" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8ba43044819c069 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:984
        backend = os.environ["TRANSFORMERS_TEST_BACKEND"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #365bf4e1c191c1ca Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:993
    if "TRANSFORMERS_TEST_DEVICE" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #795a1d9ee3c57ccf Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:994
        torch_device = os.environ["TRANSFORMERS_TEST_DEVICE"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a3556beeac869a9 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2043
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d199dc4dcf89973 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2165
            for k in list(os.environ.keys()):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c1483922fb18dd1 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2167
                    del os.environ[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dded55c71afdc860 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2178
    return mock.patch.dict(os.environ, kwargs)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e448990c0779946 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2193
    env = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #750a7a755e0ed920 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2295
        with open(report_files["durations"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0f8e8209a0f2a1e Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2325
    with open(report_files["failures_long"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a6d1dda6b48a344 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2330
    with open(report_files["failures_short"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4cdc27e13cc87a09 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2335
    with open(report_files["failures_line"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6601c6a6cefa3d1c Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2339
    with open(report_files["errors"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #659d57f17537b43b Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2343
    with open(report_files["warnings"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df9e425890daab4e Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2357
    with open(report_files["summary_short"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d099b390e4392e64 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2361
    with open(report_files["stats"], "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7d59d4a8bb372a4 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2461
    worker = os.environ.get("PYTEST_XDIST_WORKER", "gw0")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d638520a91d5cce5 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2508
    with open(file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #226066e017af3f52 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2729
        timeout = int(os.environ.get("PYTEST_TIMEOUT", "600"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c1119d957a8eb8b Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2765
        if os.getenv("_INSIDE_SUB_PROCESS", None) == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe6b358fd56bf664 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2768
            test = " ".join(os.environ.get("PYTEST_CURRENT_TEST").split(" ")[:-1])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66d8043008834b23 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2770
                env = copy.deepcopy(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #953259ea0ac78461 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:2887
    skip_cuda_tests: bool = os.environ.get("SKIP_CUDA_DOCTEST", "0") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #378037f10f6139cc Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3125
    if "TRANSFORMERS_TEST_DEVICE_SPEC" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87dfa26ff99fd3cb Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3126
        device_spec_path = os.environ["TRANSFORMERS_TEST_DEVICE_SPEC"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e677650a47d79547 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3149
        if "TRANSFORMERS_TEST_DEVICE" in os.environ and torch_device != device_name:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba54a5c3e85dedec Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3348
    force_fullgraph = os.environ.get("TORCH_COMPILE_FORCE_FULLGRAPH", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b5872f26b3e2a54 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3371
    full_test_name = os.environ.get("PYTEST_CURRENT_TEST", "").split(" ")[0]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36ef0dfff19fbfc5 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3451
    with open(actual_test_file) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad34947074778c40 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3457
    with open(caller_path) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #824902874d77fee2 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3545
    p = os.path.join(os.environ.get("_PATCHED_TESTING_METHODS_OUTPUT_DIR", ""), "captured_info.txt")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83366ab1af45e6f7 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3547
    with open(p, "a") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #814a1f3c3ead10d1 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3664
        if not os.environ.get("PYTEST_CURRENT_TEST", ""):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1b43fb2529c1d4c Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3701
            if os.getenv("CI") == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ab049a82ac79a07 Environment-variable access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:3777
    p = os.path.join(os.environ.get("_PATCHED_TESTING_METHODS_OUTPUT_DIR", ""), "captured_info.txt")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edb8e0ea6d166b42 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:4131
    with open(file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8504acc225aae445 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:4136
    with open(file, "r") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e34739aed62cfb6 Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:4372
            with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be7bdf8b8e75008b Filesystem access.
pkgs/python/[email protected]/src/transformers/testing_utils.py:4381
            with open(new_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44e706252695deed Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_python.py:1390
        with open(vocab_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc38bc0644cf39a1 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_python.py:1399
        with open(merge_file, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed059a8a6ad375aa Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1643
                    with open(resolved_config_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dfd86ad85687ec30 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1762
            with open(tokenizer_config_file, encoding="utf-8") as tokenizer_config_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7efa80dffa59e7ae Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1781
            with open(chat_template_file, encoding="utf-8") as chat_template_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #887f8e4d6a3acc9b Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1788
            with open(template_file) as chat_template_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b1e128cc722dd82 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1850
                with open(special_tokens_map_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #054e40bdda7a3e17 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1880
                with open(added_tokens_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66ca6e8acc9b179f Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:1893
                with open(tokenizer_file, encoding="utf-8") as tokenizer_file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02de57fb495fa61a Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:2096
        with open(tokenizer_config_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9a8da12d9f81962 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:2149
            with open(added_tokens_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55dec23bf4de7782 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:3264
            with open(chat_template_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #257eae14011e9c97 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:3275
                    with open(chat_template_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f6964d43aecb19e Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:3282
                    with open(template_filepath, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aea7bda17d39d6f4 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:3460
            with open(resolved_vocab_file, "r", encoding="utf-8") as vf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7cb64c11640ee13 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:3486
                with open(resolved_vocab_txt, "r", encoding="utf-8") as vf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #626807f71062be31 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_base.py:3512
            with open(resolved_merges_file, "r", encoding="utf-8") as mf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26ab1e1e836e71bd Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_sentencepiece.py:260
            with open(out_vocab_file, "wb") as fi:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #597930b8919d4964 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_tokenizers.py:121
            with open(fast_tokenizer_file, encoding="utf-8") as tokenizer_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad5ead3bf6039f89 Filesystem access.
pkgs/python/[email protected]/src/transformers/tokenization_utils_tokenizers.py:1313
                with open(_config_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #861691c294020215 Environment-variable access.
pkgs/python/[email protected]/src/transformers/trainer.py:2432
                model, device_ids=[int(os.getenv("SMDATAPARALLEL_LOCAL_RANK"))]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3937b011bfd1800a Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer.py:3987
        with open(model_card_filepath, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7d167aea8a1b7d2 Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer.py:4092
                with open(index_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #531240a3a69efa3f Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_callback.py:146
        with open(json_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #042263e5a7a6dfee Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_callback.py:152
        with open(json_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3ecedde64a33460 Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_jit_checkpoint.py:60
            with open(sentinel_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcc0f994b7caf21d Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_pt_utils.py:943
    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afc5dff673a5b2ae Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_pt_utils.py:949
            with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5abad5eb8f3fdd1e Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_pt_utils.py:955
        with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99a2c9f7e5e08c3a Environment-variable access.
pkgs/python/[email protected]/src/transformers/trainer_utils.py:166
        os.environ["CUDA_LAUNCH_BLOCKING"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3648325f8fe6331f Environment-variable access.
pkgs/python/[email protected]/src/transformers/trainer_utils.py:167
        os.environ["CUBLAS_WORKSPACE_CONFIG"] = ":16:8"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64850f2bc768091d Environment-variable access.
pkgs/python/[email protected]/src/transformers/trainer_utils.py:169
        os.environ["ASCEND_LAUNCH_BLOCKING"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45dbfb5262346025 Environment-variable access.
pkgs/python/[email protected]/src/transformers/trainer_utils.py:170
        os.environ["HCCL_DETERMINISTIC"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #365718475c5862e8 Environment-variable access.
pkgs/python/[email protected]/src/transformers/trainer_utils.py:172
        os.environ["FLASH_ATTENTION_DETERMINISTIC"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db037743b5105fc7 Filesystem access.
pkgs/python/[email protected]/src/transformers/trainer_utils.py:1092
    with open(load_index, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7becec089f2cec85 Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:85
    if os.environ.get("TORCHELASTIC_RUN_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc5aa31af2aad0a3 Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1541
        self.mixed_precision = os.environ.get("ACCELERATE_MIXED_PRECISION", "no")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5774f9d182bbf15b Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1559
                os.environ["ACCELERATE_DYNAMO_BACKEND"] = self.torch_compile_backend

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6743b840f3c1172 Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1561
                    os.environ["ACCELERATE_DYNAMO_MODE"] = self.torch_compile_mode

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb86d0a8c72820fd Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1633
        elif strtobool(os.environ.get("ACCELERATE_USE_DEEPSPEED", "false")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ebb096e8ab25059 Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1793
        if self.use_cpu or strtobool(os.environ.get("ACCELERATE_USE_CPU", "False")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6dd8266ccebc50ff Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1817
                os.environ["ACCELERATE_USE_DEEPSPEED"] = "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b939bf5d18f3156 Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1820
                del os.environ["ACCELERATE_USE_DEEPSPEED"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aaceddfa01cadfd0 Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:1860
                    "cuda:0" if torch.cuda.is_available() else os.environ.get("ACCELERATE_TORCH_DEVICE", "cpu")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5996c2c64c526da9 Filesystem access.
pkgs/python/[email protected]/src/transformers/training_args.py:2701
            with open(self.fsdp_config, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94f3113faa9c1e2e Environment-variable access.
pkgs/python/[email protected]/src/transformers/training_args.py:2801
            os.environ["FSDP_CPU_RAM_EFFICIENT_LOADING"] = cpu_ram_efficient_loading

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #371c70af0cbb0ee9 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/transformers/utils/attention_visualizer.py:183
            img = Image.open(io.BytesIO(httpx.get(img, follow_redirects=True).content))

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #6e9004589ae8a199 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/generic.py:347
        with open(json_file, encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c1d9be5f197b6c0 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/generic.py:827
        with open(pretrained_model_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa2462edfba005a4 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/generic.py:833
        with open(os.path.join(pretrained_model_path, "config.json")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58b65c84db7ea2c0 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:92
HF_MODULES_CACHE = os.getenv("HF_MODULES_CACHE", os.path.join(constants.HF_HOME, "modules"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab0a59afb39a597f Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:163
        instance_data = httpx.get(os.environ["ECS_CONTAINER_METADATA_URI"]).json()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3114bb242bdcaee Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:170
    sagemaker_params = json.loads(os.getenv("SM_FRAMEWORK_PARAMS", "{}"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f9293298dcb0fa7a Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:172
    training_job_arn = os.getenv("TRAINING_JOB_ARN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c50ae36159da23e Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:176
        "sm_framework": os.getenv("SM_FRAMEWORK_MODULE", None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecd536e3080f8d18 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:177
        "sm_region": os.getenv("AWS_REGION", None),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75e6b5de9f9eeacc Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:178
        "sm_number_gpu": os.getenv("SM_NUM_GPUS", "0"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c242d178a7f19181 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:179
        "sm_number_cpu": os.getenv("SM_NUM_CPUS", "0"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c42b6e5f2540a746 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:200
    if os.environ.get("TRANSFORMERS_IS_CI", "").upper() in ENV_VARS_TRUE_VALUES:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6dc818e0d4e4053 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/hub.py:864
    with open(index_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32e2571c32179ca9 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:115
    return os.getenv(env_variable, "false").lower() in ("true", "1", "y", "yes", "on")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6473f0616f73fe6 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:120
    return os.getenv(env_variable, "true").lower() in ("false", "0", "n", "no", "off")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #402246defce47482 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:127
USE_TORCH_XLA = os.environ.get("USE_TORCH_XLA", "1").upper()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a704056d6b2127da Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:328
    pytorch_cndev_based_mlu_check_previous_value = os.environ.get("PYTORCH_CNDEV_BASED_MLU_CHECK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b305ad67fdc77d35 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:330
        os.environ["PYTORCH_CNDEV_BASED_MLU_CHECK"] = str(1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7904da757f0f168 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:334
            os.environ["PYTORCH_CNDEV_BASED_MLU_CHECK"] = pytorch_cndev_based_mlu_check_previous_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c915b80dcb52db54 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:336
            os.environ.pop("PYTORCH_CNDEV_BASED_MLU_CHECK", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb182b07bcd8de49 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:406
    if os.environ.get("PT_HPU_LAZY_MODE", "1") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4d7dfb16ef98530 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:1520
    if os.getenv("TRANSFORMERS_DISABLE_TORCH_CHECK", "0") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2a828e46604b060 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:1554
        if "DATABRICKS_RUNTIME_VERSION" in os.environ and os.environ["DATABRICKS_RUNTIME_VERSION"] < "11.0":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a46379d961144e21 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:1566
    sagemaker_params = os.getenv("SM_FRAMEWORK_PARAMS", "{}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3812789255863aa Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:1580
    smp_options = os.getenv("SM_HP_MP_PARAMETERS", "{}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdf48f7c4f0defa2 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:1590
    mpi_options = os.getenv("SM_FRAMEWORK_PARAMS", "{}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a4aca2070eeb8e8 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:1603
    return "SAGEMAKER_JOB_NAME" in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d77d98ef900ceb3 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/import_utils.py:2713
        with open(os.path.join(module_path, module_name), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7af1f316dbafa754 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/logging.py:64
    env_level_str = os.getenv("TRANSFORMERS_VERBOSITY", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b539b3f0264ab4af Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/logging.py:94
            sys.stderr = open(os.devnull, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78b76704e60942dc Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/logging.py:103
        if os.getenv("TRANSFORMERS_VERBOSITY", None) == "detail":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #114382d7535adec2 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/logging.py:107
        ci = os.getenv("CI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87575a44f8c603d5 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/logging.py:315
    no_advisory_warnings = os.getenv("TRANSFORMERS_NO_ADVISORY_WARNINGS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39b569c15ff0da30 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/network_logging.py:172
        Path(dump_path).write_text(json.dumps(records), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #062f54edbe6e8c20 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/network_logging.py:182
                records = json.loads(Path(record_file).read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #78c5728c6d4ef9f8 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/network_logging.py:327
        report_path.write_text(json.dumps(self.build_report(), indent=2, sort_keys=True), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b42a18d60829b599 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/network_logging.py:338
    enabled_raw = os.environ.get("NETWORK_DEBUG_REPORT", "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #590020be121ff9da Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/network_logging.py:344
    output_path = os.environ.get("NETWORK_DEBUG_REPORT_PATH", "").strip() or _DEFAULT_REPORT_PATH

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #770c2d800f819341 Environment-variable access.
pkgs/python/[email protected]/src/transformers/utils/notebook.py:128
        if "VSCODE_PID" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c9d164bd568e5f9 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/pytest_helpers.py:39
    data = json.loads(p.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18d6fdf7dbf09214 Filesystem access.
pkgs/python/[email protected]/src/transformers/utils/quantization_config.py:142
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #091011b6f9fbd515 Filesystem access.
pkgs/python/[email protected]/src/transformers/video_processing_utils.py:769
        with open(json_file_path, "w", encoding="utf-8") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd4c4933a377a0e1 Filesystem access.
pkgs/python/[email protected]/src/transformers/video_processing_utils.py:789
        with open(json_file, "r", encoding="utf-8") as reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

google-cloud-storage

python dependency
high pii_flow dependency Excluded from app score #28b1cdc858d518f7 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/google/cloud/storage/asyncio/retry/writes_resumption_strategy.py:97 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/google/cloud/storage/asyncio/retry/writes_resumption_strategy.py:74 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/google/cloud/storage/asyncio/retry/writes_resumption_strategy.py:97
            requests.append(request)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

medium telemetry dependency Excluded from app score #ce9684d71e511e82 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/google/cloud/storage/_opentelemetry_tracing.py:45
    from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 18 low-confidence finding(s)
low env_fs dependency Excluded from app score #32eaf5ba3135b22f Environment-variable access.
pkgs/python/[email protected]/google/cloud/_storage_v2/services/storage/client.py:205
            use_client_cert_str = os.getenv(
                "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
            ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e286188cb7eeea1c Environment-variable access.
pkgs/python/[email protected]/google/cloud/_storage_v2/services/storage/client.py:422
        use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05c87b449348a61a Environment-variable access.
pkgs/python/[email protected]/google/cloud/_storage_v2/services/storage/client.py:463
        use_mtls_endpoint = os.getenv("GOOGLE_API_USE_MTLS_ENDPOINT", "auto").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ffc794696ac6bce Environment-variable access.
pkgs/python/[email protected]/google/cloud/_storage_v2/services/storage/client.py:464
        universe_domain_env = os.getenv("GOOGLE_CLOUD_UNIVERSE_DOMAIN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #749e24e4d7812c25 Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/_helpers.py:55
_API_VERSION = os.getenv(_API_VERSION_OVERRIDE_ENV_VAR, "v1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e0b150b3434f5a9 Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/_helpers.py:84
    return os.environ.get(STORAGE_EMULATOR_ENV_VAR, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d0c051ab7e145b2 Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/_helpers.py:88
    return os.getenv(
        _API_ENDPOINT_OVERRIDE_ENV_VAR, _DEFAULT_SCHEME + _TRUE_DEFAULT_STORAGE_HOST
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95af09f95935013e Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/_helpers.py:115
    return os.getenv(
        environment_vars.PROJECT,
        os.getenv(environment_vars.LEGACY_PROJECT),
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30154d755fc46128 Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/_helpers.py:117
        os.getenv(environment_vars.LEGACY_PROJECT),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c07c70ddab9e6ade Filesystem access.
pkgs/python/[email protected]/google/cloud/storage/_media/_upload.py:1367
        with open(self._filename, "br") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec6bc826f1ecb6df Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/_opentelemetry_tracing.py:33
    val = os.environ.get(name, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #524305656954990b Filesystem access.
pkgs/python/[email protected]/google/cloud/storage/blob.py:1275
            with open(filename, "wb") as file_obj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a3e813e93a96456 Filesystem access.
pkgs/python/[email protected]/google/cloud/storage/blob.py:3046
        with open(filename, "rb") as file_obj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8af63a62acb10829 Environment-variable access.
pkgs/python/[email protected]/google/cloud/storage/client.py:226
                    os.getenv("GOOGLE_API_USE_CLIENT_CERTIFICATE") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b24088ed399b4bde Filesystem access.
pkgs/python/[email protected]/google/cloud/storage/transfer_manager.py:902
    with open(filename, "wb") as _:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a58ec8d45845f5bd Filesystem access.
pkgs/python/[email protected]/google/cloud/storage/transfer_manager.py:1243
        self.f = open(filename, "rb+")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a3e1f2a3c0f4a53 Filesystem access.
pkgs/python/[email protected]/setup.py:94
with open(os.path.join(package_root, "google/cloud/storage/version.py")) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3905a6fd0f3fe514 Filesystem access.
pkgs/python/[email protected]/setup.py:99
with io.open(readme_filename, encoding="utf-8") as readme_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

openai

python dependency
high pii_flow dependency Excluded from app score #0d98f7685cadf134 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:255 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/openai/lib/azure.py:218 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/openai/lib/azure.py:255
        self._azure_endpoint = httpx.URL(azure_endpoint) if azure_endpoint else None

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

high pii_flow dependency Excluded from app score #acfb3ebfd4296ee6 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/openai/lib/azure.py:536 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/openai/lib/azure.py:499 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/openai/lib/azure.py:536
        self._azure_endpoint = httpx.URL(azure_endpoint) if azure_endpoint else None

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 58 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #4d0771bd2f64578d Filesystem access.
pkgs/python/[email protected]/examples/image_stream.py:30
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4163fb4e9223e8d1 Filesystem access.
pkgs/python/[email protected]/examples/image_stream.py:41
            with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7f7fe144b2bceff0 Environment-variable access.
pkgs/python/[email protected]/examples/realtime/azure_realtime.py:31
    endpoint = os.environ["AZURE_OPENAI_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #28e05efd775bddd1 Environment-variable access.
pkgs/python/[email protected]/examples/realtime/azure_realtime.py:37
    deployment_name = os.environ["AZURE_OPENAI_DEPLOYMENT_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #afd4f82584a26280 Filesystem access.
pkgs/python/[email protected]/examples/uploads.py:30
    data = file.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9eab6b3217967d93 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:144
api_type: _ApiType | None = _t.cast(_ApiType, _os.environ.get("OPENAI_API_TYPE"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d50972346732b1a8 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:146
api_version: str | None = _os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05ee1fcf7acc15e1 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:148
azure_endpoint: str | None = _os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02368ec94070f607 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:150
azure_ad_token: str | None = _os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #feb7282d16103432 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:283
    return _os.environ.get("OPENAI_API_KEY") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c704183582ccaf48 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:287
    return azure_endpoint is not None or _os.environ.get("AZURE_OPENAI_API_KEY") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d12b591e24014910 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:292
        _os.environ.get("AZURE_OPENAI_AD_TOKEN") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6651596ca05799d4 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:308
            azure_endpoint = _os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1910a4f22d194532 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:311
            azure_ad_token = _os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbd20db0a30d833c Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:314
            api_version = _os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a8c90e9ba28c38b Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:324
            if (azure_ad_token is not None or azure_ad_token_provider is not None) and _os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92b8294b2c9f3165 Environment-variable access.
pkgs/python/[email protected]/src/openai/__init__.py:324
            if (azure_ad_token is not None or azure_ad_token_provider is not None) and _os.environ.get(
                "AZURE_OPENAI_API_KEY"
            ) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdf36a97335dcfb4 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:137
            api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0975867b1588c468 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:150
            organization = os.environ.get("OPENAI_ORG_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e939fc1caf280a3 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:154
            project = os.environ.get("OPENAI_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #408b552af40e92b3 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:158
            webhook_secret = os.environ.get("OPENAI_WEBHOOK_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18349d3540532185 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:164
            base_url = os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9788a07105ef5103 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:512
            api_key = os.environ.get("OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c762729a729cbe4a Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:525
            organization = os.environ.get("OPENAI_ORG_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b532af485fcf61d7 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:529
            project = os.environ.get("OPENAI_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3a5156015734dc7 Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:533
            webhook_secret = os.environ.get("OPENAI_WEBHOOK_SECRET")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f1c21273b36548a Environment-variable access.
pkgs/python/[email protected]/src/openai/_client.py:539
            base_url = os.environ.get("OPENAI_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e16e460014e6f5e1 Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:67
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21bbf12563fc0205 Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:79
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ee6fcdc16b9e236 Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:109
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f03088b9377f17b7 Filesystem access.
pkgs/python/[email protected]/src/openai/_files.py:121
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a77dc7cf7cdda48a Filesystem access.
pkgs/python/[email protected]/src/openai/_legacy_response.py:441
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f28e047cb88e5341 Filesystem access.
pkgs/python/[email protected]/src/openai/_legacy_response.py:454
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a62bd992aaeece85 Environment-variable access.
pkgs/python/[email protected]/src/openai/_models.py:119
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef8e713591c16b69 Filesystem access.
pkgs/python/[email protected]/src/openai/_response.py:513
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c42ef1e9e2ca493c Filesystem access.
pkgs/python/[email protected]/src/openai/_response.py:555
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1bbee98d1874084 Environment-variable access.
pkgs/python/[email protected]/src/openai/_utils/_logs.py:23
    env = os.environ.get("OPENAI_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5e2c986e4740079 Filesystem access.
pkgs/python/[email protected]/src/openai/_utils/_transform.py:248
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d0bec8a77338d0b Filesystem access.
pkgs/python/[email protected]/src/openai/_utils/_transform.py:414
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b0627f8b23458a0 Filesystem access.
pkgs/python/[email protected]/src/openai/_utils/_utils.py:371
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d742a96191a0d124 Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_api/audio.py:67
        with open(args.file, "rb") as file_reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f0128bd734b01f6 Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_api/audio.py:90
        with open(args.file, "rb") as file_reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ac6353378dfe478 Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_api/files.py:55
        with open(args.file, "rb") as file_reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b5f959d6acc5757 Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_api/image.py:103
        with open(args.image, "rb") as file_reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62ed403217e1745e Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_api/image.py:119
        with open(args.image, "rb") as file_reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2538e3fcf23894d Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_api/image.py:125
            with open(args.mask, "rb") as file_reader:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #86f56919af072148 Environment-variable access.
pkgs/python/[email protected]/src/openai/cli/_tools/migrate.py:68
    xdg = os.environ.get("XDG_CACHE_HOME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01f12ac606ccdd01 Environment-variable access.
pkgs/python/[email protected]/src/openai/cli/_tools/migrate.py:76
    if not os.environ.get("DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79e23b20d610142a Filesystem access.
pkgs/python/[email protected]/src/openai/cli/_tools/migrate.py:121
        with open(temp_file, "wb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9537f662ce23d372 Filesystem access.
pkgs/python/[email protected]/src/openai/lib/_validators.py:485
                with open(fname, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39cbed705e494f01 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:193
            api_key = os.environ.get("AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c402fb73cc9a451 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:196
            azure_ad_token = os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d733e9333149ea1 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:204
            api_version = os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a8723549b4ced4e Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:218
                azure_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51d88f78cc362487 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:474
            api_key = os.environ.get("AZURE_OPENAI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efbaee7f2baf7118 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:477
            azure_ad_token = os.environ.get("AZURE_OPENAI_AD_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b837cb6cf992f59 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:485
            api_version = os.environ.get("OPENAI_API_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6222dfa047ba1257 Environment-variable access.
pkgs/python/[email protected]/src/openai/lib/azure.py:499
                azure_endpoint = os.environ.get("AZURE_OPENAI_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mcp

python dependency
high pii_flow dependency Excluded from app score #28a4f558bf94c2a1 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration.
pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:433 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/src/mcp/client/auth/oauth2.py:452
        return httpx.Request("POST", token_url, data=refresh_data, headers=headers)

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

expand_more 31 low-confidence finding(s)
low env_fs dependency Excluded from app score #9baecc08c6884e3b Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:72
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f50a7e90fa071c1 Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:281
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b577be01e7236f60 Environment-variable access.
pkgs/python/[email protected]/.github/actions/conformance/client.py:349
    scenario = os.environ.get("MCP_CONFORMANCE_SCENARIO")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #418b67909d4d02b1 Environment-variable access.
pkgs/python/[email protected]/examples/clients/conformance-auth-client/mcp_conformance_auth_client/__init__.py:50
    context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #2abcfd98e4586adb Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:343
    server_url = os.getenv("MCP_SERVER_PORT", 8000)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5db588468fa926cc Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:344
    transport_type = os.getenv("MCP_TRANSPORT_TYPE", "streamable-http")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1dd0ad4d0057b989 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-auth-client/mcp_simple_auth_client/main.py:345
    client_metadata_url = os.getenv("MCP_CLIENT_METADATA_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ea36ec7f9fbd682f Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:24
        self.api_key = os.getenv("LLM_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9070f432b5f16754 Filesystem access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:45
        with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #09d75f04e64d3798 Environment-variable access.
pkgs/python/[email protected]/examples/clients/simple-chatbot/mcp_simple_chatbot/main.py:83
            env={**os.environ, **self.config["env"]} if self.config.get("env") else None,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1670b21104b59106 Filesystem access.
pkgs/python/[email protected]/examples/fastmcp/icons_demo.py:14
icon_data = base64.standard_b64encode(icon_path.read_bytes()).decode()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #92c33f718963e510 Environment-variable access.
pkgs/python/[email protected]/examples/fastmcp/memory.py:52
PROFILE_DIR = (Path.home() / ".fastmcp" / os.environ.get("USER", "anon") / "memory").resolve()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #2d1bf1f889ddebc9 Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/completion_client.py:17
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0e279aa367a6dcf6 Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/display_utilities.py:17
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #238f6ba2cf1bfc3d Environment-variable access.
pkgs/python/[email protected]/examples/snippets/clients/stdio_client.py:19
    env={"UV_INDEX": os.environ.get("UV_INDEX", "")},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d7bf054d746dcc46 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/binary_resources.py:9
    with open("logo.png", "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e2d7b9a11c176e96 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/embedded_resource_results.py:10
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #291c0aaaf48e2584 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/embedded_resource_results_binary.py:12
    with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ce5e86d228e955f4 Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/prompt_embedded_resources.py:11
    file_content = open(filename).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c55138579e50ff6c Filesystem access.
pkgs/python/[email protected]/examples/snippets/servers/tool_errors.py:27
    with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #74398a705ebb7255 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:53
        code = file.read_text().rstrip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #956d30966f59d912 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:109
    content = doc_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b33ba4a4b8b24483 Filesystem access.
pkgs/python/[email protected]/scripts/update_doc_snippets.py:134
            doc_path.write_text(updated_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c3a1b97c42cea55 Environment-variable access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:24
        path = Path(os.environ.get("XDG_CONFIG_HOME", Path.home() / ".config"), "Claude")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #641d6613ccefcd3f Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:77
            config_file.write_text("{}")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #727337a498e842c5 Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:88
        config = json.loads(config_file.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be5d43e79ea71d3a Filesystem access.
pkgs/python/[email protected]/src/mcp/cli/claude.py:135
        config_file.write_text(json.dumps(config, indent=2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1a4d95cb5552cba Environment-variable access.
pkgs/python/[email protected]/src/mcp/cli/cli.py:282
            env=dict(os.environ.items()),  # Convert to list of tuples for env update

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6ed4d883fc9b946c Environment-variable access.
pkgs/python/[email protected]/src/mcp/client/stdio/__init__.py:59
        value = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3601cab9af9415b1 Filesystem access.
pkgs/python/[email protected]/src/mcp/server/fastmcp/utilities/types.py:47
            with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f55d400dd7e4e71 Filesystem access.
pkgs/python/[email protected]/src/mcp/server/fastmcp/utilities/types.py:94
            with open(self.path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chromadb

python dependency
medium telemetry dependency Excluded from app score #799fd8e0c83aa1a3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/execution/executor/distributed.py:22
from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #28bfe8049f3a9712 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/proto/utils.py:4
from opentelemetry.trace import Span

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0fa00fb055753898 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/server/fastapi/__init__.py:77
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #c0df8a740afea8fd Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:7
from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #f7c1dfad8e33d7c3 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:8
from opentelemetry.sdk.resources import SERVICE_NAME, Resource

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0f4994a87836db5e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:9
from opentelemetry.sdk.trace import TracerProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #71ffa94a11f16cdc Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:10
from opentelemetry.sdk.trace.export import (
    BatchSpanProcessor,

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4132a09b4c9b666d Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:13
from opentelemetry.exporter.otlp.proto.grpc.trace_exporter import OTLPSpanExporter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #05afa6b1b5f031cb Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/fastapi.py:3
from opentelemetry.instrumentation.fastapi import FastAPIInstrumentor

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4c932dd1ddc6b50f Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/grpc.py:5
from opentelemetry.trace import StatusCode, SpanKind

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 54 low-confidence finding(s)
low env_fs dependency Excluded from app score #9e4f21f708b1725a Environment-variable access.
pkgs/python/[email protected]/chromadb/__init__.py:407
            arg.value = arg.value or os.environ.get(arg.env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2ac2671ab006d85 Environment-variable access.
pkgs/python/[email protected]/chromadb/__init__.py:420
    tenant = tenant or os.environ.get("CHROMA_TENANT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e08283e2560ee5e3 Environment-variable access.
pkgs/python/[email protected]/chromadb/__init__.py:423
    database = database or os.environ.get("CHROMA_DATABASE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd790266779adb48 Filesystem access.
pkgs/python/[email protected]/chromadb/auth/__init__.py:124
            with open(_creds_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d611991ed54ce1b Filesystem access.
pkgs/python/[email protected]/chromadb/auth/__init__.py:235
            with open(_config_file, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #bd3b056529f2b1df Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/chromadb/cli/cli.py:25
        response = requests.get(url)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #65d38cfc97983e46 Filesystem access.
pkgs/python/[email protected]/chromadb/cli/utils.py:12
    with open(f"{log_config_path}", "r") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdd8e8801e0ea513 Filesystem access.
pkgs/python/[email protected]/chromadb/db/migrations.py:256
    sql = file["path"].read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac102e753fb0b775 Filesystem access.
pkgs/python/[email protected]/chromadb/segment/impl/vector/local_persistent_hnsw.py:74
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e6295a37f3931b5 Filesystem access.
pkgs/python/[email protected]/chromadb/segment/impl/vector/local_persistent_hnsw.py:255
        with open(self._get_metadata_file(), "wb") as metadata_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #879705bbe31863e1 Environment-variable access.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:139
                        {"pod_name": os.environ.get("HOSTNAME")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7e94b0078e8a499 Environment-variable access.
pkgs/python/[email protected]/chromadb/telemetry/opentelemetry/__init__.py:155
                        {"pod_name": os.environ.get("HOSTNAME")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b5540e0cfe2c20c Filesystem access.
pkgs/python/[email protected]/chromadb/telemetry/product/__init__.py:88
                with open(self.USER_ID_PATH, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20705b7a5bd2071e Filesystem access.
pkgs/python/[email protected]/chromadb/telemetry/product/__init__.py:93
                with open(self.USER_ID_PATH, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f50801ffa7b39733 Environment-variable access.
pkgs/python/[email protected]/chromadb/telemetry/product/events.py:20
        self.is_cli = os.environ.get("CHROMA_CLI", "False") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0000b3e407d2bc9 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/baseten_embedding_function.py:39
        if os.getenv("BASETEN_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bae883577bdebce Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/baseten_embedding_function.py:45
        resolved_api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dec6718ea506684c Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/chroma_cloud_qwen_embedding_function.py:61
        self.api_key = os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9723dbf15f441b98 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/chroma_cloud_splade_embedding_function.py:42
        self.api_key = os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1db0b457a189b5f Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cloudflare_workers_ai_embedding_function.py:57
        if os.getenv("CLOUDFLARE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66d4b16f455204c5 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cloudflare_workers_ai_embedding_function.py:62
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82da5ee55e736b07 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cohere_embedding_function.py:46
        if os.getenv("COHERE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69e280f38343d8c0 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/cohere_embedding_function.py:51
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #682bbaf05cf9885e Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:57
        self.api_key = os.getenv(self.api_key_env_var) if self.api_key_env_var else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e046901e5d81f56 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:251
        if os.getenv("GOOGLE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4224ec1def3b3ac3 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:256
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a071b44adad6bb5 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:401
        if os.getenv("GOOGLE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84b283e3499ccff4 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:406
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da6d250ed9e59502 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:529
        if os.getenv("GOOGLE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fce220233a5a677 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/google_embedding_function.py:534
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8321aecc0ced738 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:43
        if os.getenv("HUGGINGFACE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61eac91f884d306d Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:48
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9811d95d6bdac565 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:169
        if os.getenv("HUGGINGFACE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dfc0450a2ace763 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/huggingface_embedding_function.py:173
            self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd4e960486cb7217 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/jina_embedding_function.py:84
        if os.getenv("JINA_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b84b64e3d563726 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/jina_embedding_function.py:89
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d0dd76fc112894a Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/mistral_embedding_function.py:29
        self.api_key = os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04e621c7ac0d25fc Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/morph_embedding_function.py:49
        self.api_key = api_key or os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56e0c1e9797e2a10 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/nomic_embedding_function.py:50
        self.api_key = os.getenv(api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc69af0a9ff56341 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/onnx_mini_lm_l6_v2.py:24
    with open(fname, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f021398b9b5de8dd Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/onnx_mini_lm_l6_v2.py:109
            with open(fname, "wb") as file, self.tqdm(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b15c49e2c2d1ae5c Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/openai_embedding_function.py:60
        if os.getenv("OPENAI_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e092f662a41bf6a7 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/openai_embedding_function.py:65
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #306638c6777e379b Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/perplexity_embedding_function.py:52
        if os.getenv("PERPLEXITY_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a3aed370be28609 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/perplexity_embedding_function.py:57
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #432ff760566610a5 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/roboflow_embedding_function.py:48
        if os.getenv("ROBOFLOW_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #402f6bcbe1b5e393 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/roboflow_embedding_function.py:53
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a999a1080b041717 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/schemas/registry.py:38
        with open(schema_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb305ee2def7bdc4 Filesystem access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/schemas/schema_utils.py:36
    with open(schema_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1be806367ec2ce46 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/together_ai_embedding_function.py:52
        if os.getenv("TOGETHER_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b83b708b8f6e5bae Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/together_ai_embedding_function.py:57
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a51bd642314af13e Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/utils.py:11
    return (os.environ.get("CHROMA_EMBED_URL") or DEFAULT_CHROMA_EMBED_URL).rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93a03d112ebf9c98 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/voyageai_embedding_function.py:50
        if os.getenv("VOYAGE_API_KEY") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4362f5b26fbd51c0 Environment-variable access.
pkgs/python/[email protected]/chromadb/utils/embedding_functions/voyageai_embedding_function.py:55
        self.api_key = api_key or os.getenv(self.api_key_env_var)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

redis

python dependency
medium telemetry dependency Excluded from app score #e02861f291197b7e Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/asyncio/observability/recorder.py:247
        from opentelemetry.metrics import Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #1abd03eb90afd1d4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/metrics.py:37
    from opentelemetry.metrics import Meter

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #a053b0761d0169d4 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/providers.py:32
    from opentelemetry.sdk.metrics import MeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #2d5de6c3faa03917 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/providers.py:76
            from opentelemetry import metrics

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #0f52337e83d37624 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/providers.py:77
            from opentelemetry.metrics import NoOpMeterProvider

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #515090183116efc1 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/recorder.py:242
        from opentelemetry.metrics import Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #4148bcc5e16b6e8b Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/recorder.py:727
    from opentelemetry.metrics import Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #8e790c909e0cf6bf Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/redis/observability/registry.py:8
        from opentelemetry.metrics import Observation

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #8478fa64be556245 Filesystem access.
pkgs/python/[email protected]/redis/commands/json/__init__.py:303
            with open(fp) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aefc8faa29e70da4 Filesystem access.
pkgs/python/[email protected]/redis/commands/json/commands.py:650
        with open(file_name) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

accelerate

python dependency
medium telemetry dependency Excluded from app score #871bcddc639ad4e9 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/accelerate/tracking.py:654
            self.writer.track(value, name=key, step=step, **kwargs)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

medium telemetry dependency Excluded from app score #af1f2969762e0781 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/src/accelerate/tracking.py:686
            self.writer.track(aim_image, name=key, step=step, **track_kw)

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 225 low-confidence finding(s)
low env_fs dependency Excluded from app score #14ff7ade0ca4f62d Filesystem access.
pkgs/python/[email protected]/setup.py:61
    long_description=open("README.md", encoding="utf-8").read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a814c2f2193cdde4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:346
                    if os.environ.get("ACCELERATE_USE_DEEPSPEED", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d43244bd767a88bb Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:366
            os.environ["ACCELERATE_USE_DEEPSPEED"] = "true"  # use DeepSpeed if plugin is provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d603ec7c1f9165af Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:380
        if os.environ.get("ACCELERATE_USE_FSDP", "false").lower() == "true" or isinstance(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d4bf04a5c98a3da Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:389
                if os.environ.get("ACCELERATE_USE_FSDP", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a74911488ef20231 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:395
            os.environ["ACCELERATE_USE_FSDP"] = "true"  # use FSDP if plugin is provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b66cb4c15c190364 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:403
                MegatronLMPlugin() if os.environ.get("ACCELERATE_USE_MEGATRON_LM", "false").lower() == "true" else None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #525d94c04f1583e5 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:408
            os.environ["ACCELERATE_USE_MEGATRON_LM"] = "true"  # use MegatronLM if plugin is provided

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32bffd5c152dfda5 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:457
            elif os.environ.get("ACCELERATE_USE_PARALLELISM_CONFIG", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2f717f756215cdf Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:1474
                and os.environ.get("ACCELERATE_BYPASS_DEVICE_MAP", "false") != "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42399f845663269d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:1800
            and os.environ.get("ACCELERATE_BYPASS_DEVICE_MAP", "false") != "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ce43c6bf1278ceb Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:1874
                    if os.environ.get("ACCELERATE_BYPASS_DEVICE_MAP", "false") != "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c636b273fbfcf9d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:2356
                        if self.device.type == "hpu" and os.environ.get("PT_HPU_LAZY_MODE", "1") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e585869dffaa1342 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:2371
                os.environ["DEEPSPEED_USE_HPU"] = "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fe1dc6a8ba7de29 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:2988
            if os.environ.get("ACCELERATE_USE_FSDP", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4eb6cac050e9b42e Filesystem access.
pkgs/python/[email protected]/src/accelerate/accelerator.py:3523
            with open(save_index_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b005a729b4711cc3 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/commands/config/config_args.py:30
    os.environ.get("HF_HOME", os.path.join(os.environ.get("XDG_CACHE_HOME", "~/.cache"), "huggingface"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #778e81cb41d60abb Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/config/config_args.py:54
    with open(config_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32ee5315ac2d8b55 Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/config/config_args.py:131
        with open(json_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06b00eacb3e75b34 Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/config/config_args.py:144
        with open(json_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98313297ea2b9129 Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/config/config_args.py:151
        with open(yaml_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cdb967787e3115a Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/config/config_args.py:163
        with open(yaml_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4aa0754c0e2c2515 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/commands/config/sagemaker.py:106
        os.environ["AWS_PROFILE"] = aws_profile

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #85e76996b79e7745 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/commands/config/sagemaker.py:113
        os.environ["AWS_ACCESS_KEY_ID"] = aws_access_key_id

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42628a0a23800e58 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/commands/config/sagemaker.py:116
        os.environ["AWS_SECRET_ACCESS_KEY"] = aws_secret_access_key

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1aa98919e691467 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/commands/config/sagemaker.py:119
    os.environ["AWS_DEFAULT_REGION"] = aws_region

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a6942a10491e873 Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/launch.py:1055
        with open(DEEPSPEED_ENVIRONMENT_NAME, "a") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f021445e1226d2dc Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/to_fsdp2.py:154
    with open(config_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77a20ab8b8f4bb48 Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/to_fsdp2.py:171
    with open(args.output_file, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3087104502741d3d Filesystem access.
pkgs/python/[email protected]/src/accelerate/commands/tpu.py:115
        with open(args.command_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97157d57faa14383 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/launchers.py:124
    if any(key.startswith("KAGGLE") for key in os.environ.keys()):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7aa782ad08653c15 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/launchers.py:137
        (os.environ.get("TPU_NAME", None) is not None) or (os.environ.get("PJRT_DEVICE", "") == "TPU")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11531721c12da006 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/launchers.py:211
                if os.environ.get("ACCELERATE_DEBUG_MODE", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5df5fd0ce7941f9c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/launchers.py:265
                os.environ["PYTORCH_ENABLE_MPS_FALLBACK"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71bca5e67c3655c6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/logging.py:128
        log_level = os.environ.get("ACCELERATE_LOG_LEVEL", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5421cce393b70282 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:277
            self.dp_replicate_size = int(os.environ.get("PARALLELISM_CONFIG_DP_REPLICATE_SIZE", "1"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #376bd6d221ecb00c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:279
            self.dp_shard_size = int(os.environ.get("PARALLELISM_CONFIG_DP_SHARD_SIZE", "1"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7dc936a29093eb1 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:281
            self.tp_size = int(os.environ.get("PARALLELISM_CONFIG_TP_SIZE", "1"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e13323e91714b83 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:283
            self.cp_size = int(os.environ.get("PARALLELISM_CONFIG_CP_SIZE", "1"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca11fc688838c84b Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:285
            self.cp_backend = os.environ.get("PARALLELISM_CONFIG_CP_BACKEND", "torch")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4674a04eb53a5f19 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:287
            self.sp_size = int(os.environ.get("PARALLELISM_CONFIG_SP_SIZE", "1"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d455dc35811cfe0 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/parallelism_config.py:289
            self.sp_backend = os.environ.get("PARALLELISM_CONFIG_SP_BACKEND", "deepspeed")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c72837779933073 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:182
            env_device = os.environ.get("ACCELERATE_TORCH_DEVICE", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4a139464522d53c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:189
                    os.environ.get("ACCELERATE_USE_SAGEMAKER", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68bc9866bc88cab5 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:190
                    and os.environ.get("ACCELERATE_SAGEMAKER_DISTRIBUTED_TYPE") != SageMakerDistributedType.NO

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f2092b1c2b2fb45 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:202
                if int(os.environ.get("LOCAL_RANK", -1)) != -1:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30d2ab8c5335ad5b Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:204
                    if os.environ.get("ACCELERATE_USE_DEEPSPEED", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8835e78d0ec133e0 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:213
                                local_rank = os.environ.get("LOCAL_RANK", -1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe9c121f1a00c0c1 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:224
                            local_rank = os.environ.get("LOCAL_RANK", -1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69c7ac5b8ce07c96 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:228
                            and os.environ.get("ACCELERATE_USE_FSDP", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f7e1a7dd601bec4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:230
                                os.environ.get("FSDP_OFFLOAD_PARAMS", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #216a079f72707712 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:231
                                or os.environ.get("FSDP_STATE_DICT_TYPE", "SHARDED_STATE_DICT") == "FULL_STATE_DICT"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6293e9a66c83d32b Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:237
                            and os.environ.get("ACCELERATE_USE_FSDP", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03459a65edb45395 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:239
                                os.environ.get("FSDP_OFFLOAD_PARAMS", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #580eb9e1fa31edd8 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:240
                                or os.environ.get("FSDP_STATE_DICT_TYPE", "SHARDED_STATE_DICT") == "FULL_STATE_DICT"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51cae7b91fe76f25 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:249
                os.environ["RANK"] = str(dist_information.rank)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9229524e2e8be82d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:250
                os.environ["WORLD_SIZE"] = str(dist_information.world_size)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afedafc71cbcd189 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:251
                os.environ["LOCAL_RANK"] = str(dist_information.local_rank)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b52840b89c136da Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:252
                os.environ["LOCAL_WORLD_SIZE"] = str(dist_information.local_world_size)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d07b40020e62462 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:253
                if not os.environ.get("MASTER_PORT", None):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #757a3fbe0ebfceff Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:254
                    os.environ["MASTER_PORT"] = "29500"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22f57991aac1687b Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:256
                    not os.environ.get("MASTER_ADDR", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81c1f6eb066bd6d2 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:302
                    self.local_process_index = int(os.environ.get("LOCAL_RANK", -1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e4a9c1dca5e01d6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:307
                    int(os.environ.get("LOCAL_RANK", -1)) if dist_information is None else dist_information.local_rank

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4040c07c49002545 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:320
                if "NCCL_P2P_DISABLE" not in os.environ or "NCCL_IB_DISABLE" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dec4b402be32ec4c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:735
            os.environ["PYTORCH_ENABLE_MPS_FALLBACK"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c188a19d779a2787 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:772
        elif int(os.environ.get("LOCAL_RANK", -1)) != -1 and not cpu:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10145daa885c050c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:807
                int(os.environ.get("LOCAL_RANK", -1)) != -1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ac0f83adaea0eed Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:967
                    if os.environ.get("ACCELERATE_DOWNCAST_BF16"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6e8c4f47dfec279 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:968
                        os.environ["XLA_USE_BF16"] = str(0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6bad305d31f09fd Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:969
                        os.environ["XLA_DOWNCAST_BF16"] = str(1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87f67669d3918182 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:972
                        os.environ["XLA_USE_BF16"] = str(1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d201491a4b9d668 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:973
                        os.environ["XLA_DOWNCAST_BF16"] = str(0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57737276a0e0f135 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:975
            elif os.environ.get("ACCELERATE_USE_DEEPSPEED", "false").lower() == "true" and not cpu:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90c407ba994e2edb Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:998
                if not os.environ.get("ACCELERATE_ALLOW_CP_STANDALONE", "false").lower() == "true":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b96e67c9270e6c5f Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:1011
                if (os.environ.get("ACCELERATE_USE_FSDP", "false").lower() == "true" or fsdp_plugin is not None) or (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64458a055749a8ed Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:1018
                if os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b16494d03d30ed85 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/state.py:1018
                if os.environ.get(
                    "ACCELERATE_USE_MEGATRON_LM", "false"
                ).lower() == "true" and self.distributed_type not in [

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3ccb1254f041bcc Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/examples.py:89
    with open(base_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5af9b215d8944783 Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/examples.py:91
    with open(os.path.abspath(os.path.join("examples", "nlp_example.py"))) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acfaa3111dd9a860 Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/examples.py:93
    with open(feature_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6145d01561ca88e4 Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/examples.py:96
        with open(secondary_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f61a565306fb4163 Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/external_deps/test_checkpointing.py:184
        with open(os.path.join(args.output_dir, f"state_{starting_epoch - 1}.json")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #061612f048f05412 Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/external_deps/test_checkpointing.py:224
            with open(os.path.join(args.output_dir, f"state_{epoch}.json"), "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #26083639df383c89 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/external_deps/test_metrics.py:34
os.environ["TRANSFORMERS_NO_ADVISORY_WARNINGS"] = "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #40e38730a568884f Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/external_deps/test_peak_memory_usage.py:273
        with open(os.path.join(args.output_dir, "peak_memory_utilization.json"), "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #41443c4fb5eaaa4d Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/external_deps/test_performance.py:233
        with open(os.path.join(args.output_dir, "all_results.json"), "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5b91533709ba12fa Environment-variable access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/test_notebook.py:53
NUM_PROCESSES = int(os.environ.get("ACCELERATE_NUM_PROCESSES", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e505212555b05f20 Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/test_script.py:96
            with open(path, "a+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #531e0fbdfe2e40ff Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/test_script.py:99
            with open(path, "a+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #87573fcf23b1abad Filesystem access.
pkgs/python/[email protected]/src/accelerate/test_utils/scripts/test_script.py:104
        with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bda716880af11e9c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/test_utils/testing.py:138
        value = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9e8e1adcd17dedd Environment-variable access.
pkgs/python/[email protected]/src/accelerate/test_utils/testing.py:798
    worker = os.environ.get("PYTEST_XDIST_WORKER", "gw0")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #274bf98dfb09c7ae Environment-variable access.
pkgs/python/[email protected]/src/accelerate/test_utils/testing.py:829
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a53f4426f7763139 Filesystem access.
pkgs/python/[email protected]/src/accelerate/tracking.py:237
        with open(os.path.join(dir_name, "hparams.yml"), "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68d283b73a09cb63 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/tracking.py:737
        experiment_name = os.environ.get("MLFLOW_EXPERIMENT_NAME", experiment_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4ce76efdc3b9c1b Environment-variable access.
pkgs/python/[email protected]/src/accelerate/tracking.py:738
        run_id = os.environ.get("MLFLOW_RUN_ID", run_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58c7770ebb54b8f6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/tracking.py:739
        tags = os.environ.get("MLFLOW_TAGS", tags)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f15cf928493cd44 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/tracking.py:743
        nested_run = os.environ.get("MLFLOW_NESTED_RUN", nested_run)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ffc07e7f6884df12 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/tracking.py:935
        task_init_args.setdefault("project_name", os.environ.get("CLEARML_PROJECT", self.user_provided_run_name))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66f2675ea4670cdf Environment-variable access.
pkgs/python/[email protected]/src/accelerate/tracking.py:936
        task_init_args.setdefault("task_name", os.environ.get("CLEARML_TASK", self.user_provided_run_name))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e41df2576c6dc5e Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:413
            self.margin = int(os.environ.get(env_prefix + "MARGIN", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eabba86217ebac0d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:415
            self.interval = int(os.environ.get(env_prefix + "INTERVAL", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27ce610a1cc4cecd Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:417
            self.fp8_format = os.environ.get(env_prefix + "FORMAT", "HYBRID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f51a99f9bb45f635 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:422
            self.amax_compute_algo = os.environ.get(env_prefix + "AMAX_COMPUTE_ALGO", "most_recent")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b1a55cf67919bfa Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:427
            self.amax_history_len = int(os.environ.get(env_prefix + "AMAX_HISTORY_LEN", 1024))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74818c2c4c902e1e Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:449
            self.opt_level = os.environ.get(env_prefix + "OPT_LEVEL", "O2")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12fdbdcb09fe1344 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:472
            self.backend = os.environ.get(env_prefix + "BACKEND", default_backend)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #007eae851f0f61ae Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1089
            self.backend = os.environ.get(prefix + "BACKEND", "no")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a485b02641d1f6ab Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1093
            self.mode = os.environ.get(prefix + "MODE", "default")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50f604270299d2ca Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1095
            self.fullgraph = str_to_bool(os.environ.get(prefix + "USE_FULLGRAPH", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33b8702247b5b4df Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1098
                str_to_bool(os.environ.get(prefix + "USE_REGIONAL_COMPILATION", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #797a5150d75912b7 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1101
        if self.dynamic is None and os.environ.get(prefix + "USE_DYNAMIC", None) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c98e59439c838c04 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1102
            self.dynamic = str_to_bool(os.environ.get(prefix + "USE_DYNAMIC", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfdcb5d667adc5e7 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1224
            gas = os.environ.get("ACCELERATE_GRADIENT_ACCUMULATION_STEPS", "auto")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5744e41a5fc6906c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1228
            gradient_clipping = os.environ.get("ACCELERATE_GRADIENT_CLIPPING", "auto")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd633cb811d79ef3 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1232
            self.zero_stage = int(os.environ.get("ACCELERATE_DEEPSPEED_ZERO_STAGE", 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f73afa041e7e0ecc Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1235
            self.offload_optimizer_device = os.environ.get("ACCELERATE_DEEPSPEED_OFFLOAD_OPTIMIZER_DEVICE", "none")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82698d0ca77e7b50 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1238
            self.offload_param_device = os.environ.get("ACCELERATE_DEEPSPEED_OFFLOAD_PARAM_DEVICE", "none")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #035debd14c4d20d6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1241
            self.offload_optimizer_nvme_path = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fe51c33aae7d6fb Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1241
            self.offload_optimizer_nvme_path = os.environ.get(
                "ACCELERATE_DEEPSPEED_OFFLOAD_OPTIMIZER_NVME_PATH", "none"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #099d445861294d53 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1246
            self.offload_param_nvme_path = os.environ.get("ACCELERATE_DEEPSPEED_OFFLOAD_PARAM_NVME_PATH", "none")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f6486d2906e5a583 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1250
                os.environ.get("ACCELERATE_DEEPSPEED_ZERO3_SAVE_16BIT_MODEL", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5291ce0c1637a324 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1253
            self.enable_msamp = os.environ.get("ACCELERATE_FP8_BACKEND", None) == "MSAMP"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9064b955255c126 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1256
            self.msamp_opt_level = os.environ.get("ACCELERATE_FP8_OPT_LEVEL", "O1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #322cff62ae0000be Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1259
            self.hf_ds_config = os.environ.get("ACCELERATE_DEEPSPEED_CONFIG_FILE", "none")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #599fb95ebf1335a8 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1324
                    os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9789bbc4ac91df69 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1324
                    os.environ.get(
                        "ACCELERATE_DEEPSPEED_ZERO3_INIT",
                        str(self.hf_ds_config.is_zero3()),
                    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e39fa417de2705a1 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1506
        deepspeed_fields_from_accelerate_config = os.environ.get("ACCELERATE_CONFIG_DS_FIELDS", "").split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8a12c8895eb1527 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1519
            self.transformer_moe_cls_names = os.environ.get("ACCELERATE_DEEPSPEED_MOE_LAYER_CLS_NAMES", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55e6bfb4ff0ff853 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1806
            self.fsdp_version = int(os.environ.get(env_prefix + "VERSION", "1"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1da06aa62a64c95f Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1821
                self.sharding_strategy = os.environ.get(env_prefix + "SHARDING_STRATEGY", "FULL_SHARD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3714ea77c4394161 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1832
            reshard_after_forward = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18b7db8606dc2c1d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1832
            reshard_after_forward = os.environ.get(
                env_prefix + "RESHARD_AFTER_FORWARD",
                "true" if self.fsdp_version == 2 else "FULL_SHARD",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f423e130c2788c4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1862
            self.cpu_offload = str_to_bool(os.environ.get(env_prefix + "OFFLOAD_PARAMS", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40cfb0bef3d7729c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1868
            self.backward_prefetch = os.environ.get(env_prefix + "BACKWARD_PREFETCH", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9682ada377f4e55 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1885
            self.auto_wrap_policy = os.environ.get(env_prefix + "AUTO_WRAP_POLICY", "NO_WRAP")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a2797a90f895c03 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1899
                    self.transformer_cls_names_to_wrap = os.environ.get(env_prefix + "TRANSFORMER_CLS_TO_WRAP", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6a642b40f35066f Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1905
                    self.min_num_params = int(os.environ.get(env_prefix + "MIN_NUM_PARAMS", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cd69c8e1f2a3983 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1914
            self.use_orig_params = str_to_bool(os.environ.get(env_prefix + "USE_ORIG_PARAMS", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f359772e838b3cb4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1920
            self.sync_module_states = str_to_bool(os.environ.get(env_prefix + "SYNC_MODULE_STATES", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db4ba278fae60179 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1929
            self.forward_prefetch = str_to_bool(os.environ.get(env_prefix + "FORWARD_PREFETCH", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9928b706286504d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1935
                str_to_bool(os.environ.get(env_prefix + "ACTIVATION_CHECKPOINTING", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25553cfc8396c0e4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1939
            self.ignored_modules = os.environ.get(env_prefix + "IGNORED_MODULES", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93af0377d530f3e2 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1943
                str_to_bool(os.environ.get(env_prefix + "CPU_RAM_EFFICIENT_LOADING", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #237c31c827a343db Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:1947
            os.environ[env_prefix + "CPU_RAM_EFFICIENT_LOADING"] = str(self.cpu_ram_efficient_loading)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a303eba03b38a261 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2012
            self.state_dict_type = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71a518b491e1f23e Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2012
            self.state_dict_type = os.environ.get(
                "FSDP_STATE_DICT_TYPE",
                "FULL_STATE_DICT" if self.fsdp_version == 1 else "SHARDED_STATE_DICT",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0bad724c6d0a21a Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2209
            self.cp_comm_strategy = os.environ.get("PARALLELISM_CONFIG_CP_COMM_STRATEGY", "allgather")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae9d665c5363e9c4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2241
                os.environ.get("PARALLELISM_CONFIG_SP_SEQ_LENGTH_IS_VARIABLE", "true").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b87232cde96020dc Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2245
            if "PARALLELISM_CONFIG_SP_SEQ_LENGTH" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d83dd079f21a5a29 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2250
                self.sp_seq_length = os.environ.get("PARALLELISM_CONFIG_SP_SEQ_LENGTH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8b5cb89e56a446d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2254
            self.sp_attn_implementation = os.environ.get("PARALLELISM_CONFIG_SP_ATTN_IMPLEMENTATION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dffbe0fa8b30022d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2584
            self.tp_degree = int(os.environ.get(prefix + "TP_DEGREE", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3538c036742d1a85 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2586
            self.pp_degree = int(os.environ.get(prefix + "PP_DEGREE", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f41bdc7f00c3733d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2588
            self.use_custom_fsdp = str_to_bool(os.environ.get(prefix + "USE_CUSTOM_FSDP", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c13ba60e183fc8c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2590
            self.no_load_optim = str_to_bool(os.environ.get(prefix + "NO_LOAD_OPTIM", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ec7dcddd6f26e2a Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2592
            self.eod_mask_loss = str_to_bool(os.environ.get(prefix + "EOD_MASK_LOSS", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cec8fdeebedb661 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2594
            self.no_save_optim = str_to_bool(os.environ.get(prefix + "NO_SAVE_OPTIM", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b52fa3094ddbbc2 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2596
            self.optimizer_cpu_offload = str_to_bool(os.environ.get(prefix + "OPTIMIZER_CPU_OFFLOAD", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #349a90482215f171 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2599
                str_to_bool(os.environ.get(prefix + "OVERLAP_CPU_OPTIMIZER_D2H_H2D", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f23a90709b8d39b6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2603
                str_to_bool(os.environ.get(prefix + "USE_PRECISION_AWARE_OPTIMIZER", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dcf62ed7656d612 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2606
            if os.environ.get(prefix + "DECODER_LAST_PIPELINE_NUM_LAYERS") is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28c88585aad42fb6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2608
                    os.environ.get(prefix + "DECODER_LAST_PIPELINE_NUM_LAYERS", 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cff5cefd9b867a9 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2613
            self.num_micro_batches = int(os.environ.get(prefix + "NUM_MICRO_BATCHES", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c9c344392937878 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2615
            self.gradient_clipping = float(os.environ.get(prefix + "GRADIENT_CLIPPING", 1.0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6a8711784a613e3 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2617
            self.recompute_activations = str_to_bool(os.environ.get(prefix + "RECOMPUTE_ACTIVATIONS", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eeda5bccf5126bc0 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2620
                str_to_bool(os.environ.get(prefix + "USE_DISTRIBUTED_OPTIMIZER", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #760a8e49171dee78 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2623
            self.sequence_parallelism = str_to_bool(os.environ.get(prefix + "SEQUENCE_PARALLELISM", "False")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01b956473cff3fab Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2625
            self.recompute_granularity = os.environ.get(prefix + "RECOMPUTE_GRANULARITY", "full")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a7224bcde211cba Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2627
            self.recompute_method = os.environ.get(prefix + "RECOMPUTE_METHOD", "uniform")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97151ce286ce002c Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2629
            self.recompute_num_layers = int(os.environ.get(prefix + "RECOMPUTE_NUM_LAYERS", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #065a819f107a21a7 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2631
            self.attention_backend = str_to_bool(os.environ.get(prefix + "ATTENTION_BACKEND", "True")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bbe42ce0ad82791 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2633
            self.expert_model_parallel_size = int(os.environ.get(prefix + "EXPERT_MODEL_PARALLEL_SIZE", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0397d6e2d8451b4a Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2635
            self.context_parallel_size = int(os.environ.get(prefix + "CONTEXT_PARALLEL_SIZE", 2))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5fd48a6df62035be Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2637
            self.attention_dropout = float(os.environ.get(prefix + "ATTENTION_DROPOUT", "0.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb9248242b04de42 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2639
            self.hidden_dropout = float(os.environ.get(prefix + "HIDDEN_DROPOUT", "0.0"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cff0db11388afb6f Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2642
                str_to_bool(os.environ.get(prefix + "ATTENTION_SOFTMAX_IN_FP32", "True")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1aeee888151fcb08 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2645
            self.expert_tensor_parallel_size = int(os.environ.get(prefix + "EXPERT_TENSOR_PARALLEL_SIZE", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd9094a8f95f9a7d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2648
                str_to_bool(os.environ.get(prefix + "CALCULATE_PER_TOKEN_LOSS", "True")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbc8ed91a2f07f07 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/dataclasses.py:2652
                str_to_bool(os.environ.get(prefix + "USE_ROTARY_POSITION_EMBEDDINGS", "True")) == 1

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d20c38fac52bda1a Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/deepspeed.py:142
            with open(config_file_or_dict, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d56697605025742 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:77
        val = int(os.environ.get(e, -1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19f0ca31e27bd9cc Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:85
    value = os.environ.get(key, str(default))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa85293ddaeb72e5 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:90
    value = os.environ.get(key, str(default))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd190312d6dca4ec Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:163
            command = f"{os.environ['systemdrive']}\\Program Files\\NVIDIA Corporation\\NVSMI\\nvidia-smi.exe"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bce2fa0ac8576e3b Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:368
    _old_os_environ = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4deca0847afe163a Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:369
    os.environ.clear()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9a46c3704f027a1 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:374
        os.environ.clear()  # clear any added keys,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce61b9e22019572e Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:375
        os.environ.update(_old_os_environ)  # then restore previous environment

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10cec5c3d800b94f Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:399
        if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b26475584d029c1d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:400
            existing_vars[key] = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9624bf94fe8a81f6 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:401
        os.environ[key] = str(value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a32ca418a2e2d331 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:410
                os.environ[key] = existing_vars[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d9f8826fab07acf Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:412
                os.environ.pop(key, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8acaaf6a48eecc4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:439
        existing_vars = {k: v for k, v in os.environ.items() if k.startswith(prefix)}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67ab91cebffab327 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:444
            for key in [k for k in os.environ if k.startswith(prefix)]:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a59ed13b67d1db0f Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:446
                    os.environ[key] = existing_vars[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9d3659ae570f430 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/environment.py:448
                    os.environ.pop(key, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95ab13b734ffee08 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/fsdp_utils.py:44
    if "ACCELERATE_USE_FSDP" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64b83b60a2544c2a Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/fsdp_utils.py:45
        os.environ["ACCELERATE_USE_FSDP"] = "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46974417e8fac490 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/fsdp_utils.py:46
    os.environ["FSDP_CPU_RAM_EFFICIENT_LOADING"] = "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a47ac246a635ea72 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/fsdp_utils.py:53
    os.environ["FSDP_CPU_RAM_EFFICIENT_LOADING"] = "False"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cefa5b53364b1db Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/imports.py:222
    if str_to_bool(os.environ.get("ACCELERATE_USE_MEGATRON_LM", "False")) == 1:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df74e4651d488923 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:132
    current_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc8270408c7be8c3 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:257
    current_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0a7788d40b1f74a Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:528
    current_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbf5e0edebd66190 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:660
    os.environ["AWS_DEFAULT_REGION"] = sagemaker_config.region

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #344b688b9f42aa36 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:664
        os.environ["AWS_PROFILE"] = sagemaker_config.profile

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00077e034a81e6dd Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:666
        os.environ["AWS_ACCESS_KEY_ID"] = args.aws_access_key_id

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15d3630280082acd Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:667
        os.environ["AWS_SECRET_ACCESS_KEY"] = args.aws_secret_access_key

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #163b8237f1945a1e Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:723
        with open(sagemaker_config.sagemaker_inputs_file) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8fb4c8f9899cedb4 Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:736
        with open(sagemaker_config.sagemaker_metrics_file) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4925b2bfdec74a4 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:778
    paths = [p for p in os.environ.get(env_var_name, "").split(":") if len(p) > 0]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b337f6081b05114d Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:803
            world_size = int(os.environ.get("WORLD_SIZE"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #de1e022c8b4b48be Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:804
            rdv_file = os.environ.get("ACCELERATE_DEBUG_RDV_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab590307fceeb867 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:821
            os.environ["LOCAL_RANK"] = str(index)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f7cdd77256efa80 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:822
            nproc = int(os.environ.get("NPROC", 1))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9636655c25fa5e44 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:823
            node_rank = int(os.environ.get("NODE_RANK", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a27731607a1bd964 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:824
            os.environ["RANK"] = str(nproc * node_rank + index)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6bbef3c5a050277 Environment-variable access.
pkgs/python/[email protected]/src/accelerate/utils/launch.py:826
        os.environ["FORK_LAUNCHED"] = str(1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5be0958cc23287d4 Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/modeling.py:1909
        with open(index_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #449c92ef2f9db75b Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/offload.py:75
        with open(offload_index_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09be60839aad8b79 Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/offload.py:81
    with open(offload_index_file, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #008279f57412d5e5 Filesystem access.
pkgs/python/[email protected]/src/accelerate/utils/offload.py:154
            with open(os.path.join(save_folder, "index.json")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

elasticsearch

python dependency
medium telemetry dependency Excluded from app score #ab81aa424989e8b6 Telemetry/analytics SDK usage detected. Confirm user consent and that no PII is sent without a lawful basis.
pkgs/python/[email protected]/elasticsearch/_otel.py:25
    from opentelemetry import trace

A telemetry/analytics SDK is used; event data is sent to a third-party collector.

Fix: Ensure user consent and a lawful basis; strip PII from event payloads.

expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #00d65050a2096a53 Environment-variable access.
pkgs/python/[email protected]/elasticsearch/_otel.py:51
            enabled = os.environ.get(ENABLED_ENV_VAR, "true") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91349cb9f3e6a287 Environment-variable access.
pkgs/python/[email protected]/elasticsearch/_otel.py:58
            self.body_strategy = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47e4a25540c1f36d Environment-variable access.
pkgs/python/[email protected]/elasticsearch/_otel.py:58
            self.body_strategy = os.environ.get(
                BODY_STRATEGY_ENV_VAR, DEFAULT_BODY_STRATEGY
            )  # type: ignore[assignment]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e4edff347eb206a Environment-variable access.
pkgs/python/[email protected]/elasticsearch/compat.py:45
    if os.environ.get(DISABLE_WARN_STACKLEVEL_ENV_VAR) in ["1", "true", "True"]:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

APScheduler

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #b28b25357fab96de Filesystem access.
pkgs/python/[email protected]/src/apscheduler/schedulers/base.py:832
                outfile = stack.enter_context(open(outfile, "w"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #455577199b9e15c9 Filesystem access.
pkgs/python/[email protected]/src/apscheduler/schedulers/base.py:873
                infile = stack.enter_context(open(infile))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Brotli

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #89dc438837cdeaf9 Filesystem access.
pkgs/python/[email protected]/python/bro.py:152
            with open(options.infile, 'rb') as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ed44cffc45b699b Filesystem access.
pkgs/python/[email protected]/python/bro.py:169
        outfile = open(options.outfile, 'wb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6af759c71b0aa478 Environment-variable access.
pkgs/python/[email protected]/setup.py:28
    value = os.environ.get(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #befe152aed7d9bf0 Filesystem access.
pkgs/python/[email protected]/setup.py:40
    with open(path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccf25379f53bf807 Filesystem access.
pkgs/python/[email protected]/setup.py:335
with open("README.md", "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Markdown

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #61234df70abd7cbc Filesystem access.
pkgs/python/[email protected]/markdown/__main__.py:106
        with open(
            options.configfile, mode="r", encoding=options.encoding
        ) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34b5382d35b8d313 Filesystem access.
pkgs/python/[email protected]/markdown/core.py:434
                input_file = open(input, mode="r", encoding=encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fc54ed0bd2a0007a Filesystem access.
pkgs/python/[email protected]/markdown/test_tools.py:151
                with open(infile, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47a1181e81c0507d Filesystem access.
pkgs/python/[email protected]/markdown/test_tools.py:153
                with open(outfile, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

PyJWT

python dependency
expand_more 4 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #f08c19c3fe35e313 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:11
    with open(os.path.join(here, *parts), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #dfdf41956ed1a271 Environment-variable access.
pkgs/python/[email protected]/docs/conf.py:97
os.environ["SPHINX_BUILD"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e0d27d34b1c3dc0 Environment-variable access.
pkgs/python/[email protected]/jwt/algorithms.py:102
    if TYPE_CHECKING or bool(os.getenv("SPHINX_BUILD", "")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ca390eee111911e Environment-variable access.
pkgs/python/[email protected]/jwt/api_jwt.py:25
if TYPE_CHECKING or bool(os.getenv("SPHINX_BUILD", "")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

PyMySQL

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #2e20e2a9abfcfa21 Filesystem access.
pkgs/python/[email protected]/pymysql/connections.py:1460
            with open(self.filename, "rb") as open_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

aiocache

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #81fb40fe7d654fde Environment-variable access.
pkgs/python/[email protected]/aiocache/base.py:62
                if os.getenv("AIOCACHE_DISABLE") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6eab196a448bd437 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:70
    version = re.findall(r'__version__ = "(.+?)"', _path.read_text())[0]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4d2eb7dfee4af03e Environment-variable access.
pkgs/python/[email protected]/docs/conf.py:134
on_rtd = os.environ.get("READTHEDOCS", None) == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b1d368e316aea92d Filesystem access.
pkgs/python/[email protected]/setup.py:8
    version = re.findall(r"^__version__ = \"([^']+)\"\r?$", p.read_text(), re.M)[0]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ca880c39cfc3796 Filesystem access.
pkgs/python/[email protected]/setup.py:12
readme = Path(__file__).with_name("README.rst").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

aiohttp

python dependency
expand_more 17 low-confidence finding(s)
low env_fs dependency Excluded from app score #c282b5ec7ca59dea Environment-variable access.
pkgs/python/[email protected]/aiohttp/helpers.py:78
NO_EXTENSIONS = bool(os.environ.get("AIOHTTP_NO_EXTENSIONS"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49b0faaaf7b83208 Environment-variable access.
pkgs/python/[email protected]/aiohttp/helpers.py:87
    not sys.flags.ignore_environment and bool(os.environ.get("PYTHONASYNCIODEBUG"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64e7eb7357b0e070 Environment-variable access.
pkgs/python/[email protected]/aiohttp/helpers.py:204
    netrc_env = os.environ.get("NETRC")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fb495aa8d86675d Environment-variable access.
pkgs/python/[email protected]/aiohttp/web_fileresponse.py:50
NOSENDFILE: Final[bool] = bool(os.environ.get("AIOHTTP_NOSENDFILE"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #12d24dfb70636cf6 Environment-variable access.
pkgs/python/[email protected]/docs/conf.py:22
    os.getenv("READTHEDOCS", "False") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #be55976f77542c3c Environment-variable access.
pkgs/python/[email protected]/docs/conf.py:23
    and os.environ["READTHEDOCS_VERSION_TYPE"] == "tag"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ef964f8ab2b43a28 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:32
with open(_version_path, encoding="latin1") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #88dd1b5c7e0bf69d Filesystem access.
pkgs/python/[email protected]/examples/web_ws.py:21
        with open(WS_FILE, "rb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22c21e8d506cfee6 Filesystem access.
pkgs/python/[email protected]/requirements/sync-direct-runtime-deps.py:12
data = tomllib.loads(Path("pyproject.toml").read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac617504f94126e4 Filesystem access.
pkgs/python/[email protected]/requirements/sync-direct-runtime-deps.py:19
with open(Path("requirements", "runtime-deps.in"), "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be971eeae5b1910a Environment-variable access.
pkgs/python/[email protected]/setup.py:12
    os.environ.get("AIOHTTP_USE_SYSTEM_DEPS", os.environ.get("USE_SYSTEM_DEPS"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32666e4eea74d90a Environment-variable access.
pkgs/python/[email protected]/setup.py:14
NO_EXTENSIONS: bool = bool(os.environ.get("AIOHTTP_NO_EXTENSIONS"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1fa0201f148140ba Filesystem access.
pkgs/python/[email protected]/tools/check_sum.py:30
        hasher.update(full_src.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #66198756ecba4233 Filesystem access.
pkgs/python/[email protected]/tools/check_sum.py:37
        dst_hash = dst.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1feb0b755021078d Filesystem access.
pkgs/python/[email protected]/tools/check_sum.py:41
        dst.write_text(src_hash)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f51b15ee72e38d86 Filesystem access.
pkgs/python/[email protected]/tools/cleanup_changes.py:30
    changes = (root / "CHANGES.rst").read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #76cf228bf9368600 Filesystem access.
pkgs/python/[email protected]/tools/gen.py:16
    code = compile(hdrs_file.read_text(), str(hdrs_file), "exec")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

alembic

python dependency
expand_more 30 low-confidence finding(s)
low env_fs dependency Excluded from app score #51cfaf29152183ff Filesystem access.
pkgs/python/[email protected]/alembic/command.py:141
                with open(toml_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b760e2c6aefc12c Filesystem access.
pkgs/python/[email protected]/alembic/command.py:174
                with open(path, "w"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3f8f3090a22f4a7 Filesystem access.
pkgs/python/[email protected]/alembic/config.py:277
            with open(self._toml_file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16d3596551381aa6 Environment-variable access.
pkgs/python/[email protected]/alembic/config.py:985
        alembic_config_env = os.environ.get("ALEMBIC_CONFIG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ea7f349396ed6ec Filesystem access.
pkgs/python/[email protected]/alembic/templates/multidb/env.py:70
        with open(file_, "w") as buffer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a9ea01cc56a5a0c Filesystem access.
pkgs/python/[email protected]/alembic/testing/env.py:93
    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39b367cff615b80d Filesystem access.
pkgs/python/[email protected]/alembic/testing/env.py:113
    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a184d511219c905 Filesystem access.
pkgs/python/[email protected]/alembic/testing/env.py:300
    with open(cfg.toml_file_name, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e5632cdae792bad Filesystem access.
pkgs/python/[email protected]/alembic/testing/env.py:307
    with open(cfg.config_file_name, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #104cca88b3ae1a1f Filesystem access.
pkgs/python/[email protected]/alembic/testing/env.py:332
    with open(path, "wb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #367cebc0dd7eb909 Environment-variable access.
pkgs/python/[email protected]/alembic/testing/fixtures.py:70
        os.environ.pop("ALEMBIC_CONFIG", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83cea3e0308c20df Environment-variable access.
pkgs/python/[email protected]/alembic/util/editor.py:33
    env = os.environ if environ is None else environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76e5b4dfc8ce3547 Filesystem access.
pkgs/python/[email protected]/alembic/util/pyfiles.py:48
        with open(dest, "ab" if append_with_newlines else "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b5bf425d53a75ab Environment-variable access.
pkgs/python/[email protected]/noxfile.py:21
SQLA_REPO = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c1f98858dc264e2 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:21
SQLA_REPO = os.environ.get(
    "SQLA_REPO", "git+https://github.com/sqlalchemy/sqlalchemy.git"
)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5e55854580af03f Environment-variable access.
pkgs/python/[email protected]/noxfile.py:134
    cmd.extend(os.environ.get("TOX_WORKERS", "-n4").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c13e9e7969791831 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:141
            cmd.extend(os.environ.get("TOX_SQLITE", "--db=sqlite").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f040b3963310bed Environment-variable access.
pkgs/python/[email protected]/noxfile.py:147
                os.environ.get("TOX_POSTGRESQL", "--db=postgresql").split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7749fd428407df72 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:153
            cmd.extend(os.environ.get("TOX_MYSQL", "--db=mysql").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac776541af905e9b Environment-variable access.
pkgs/python/[email protected]/noxfile.py:160
            if "ORACLE_HOME" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c46e2413ff23340 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:161
                session.env["ORACLE_HOME"] = os.environ.get("ORACLE_HOME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #912bf538f394a1ce Environment-variable access.
pkgs/python/[email protected]/noxfile.py:162
            if "NLS_LANG" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b0a100e7ff0f029 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:163
                session.env["NLS_LANG"] = os.environ.get("NLS_LANG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bec05793a87950c9 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:164
            cmd.extend(os.environ.get("TOX_ORACLE", "--db=oracle").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c2425bd6ba62833 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:170
            cmd.extend(os.environ.get("TOX_MSSQL", "--db=mssql").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0e8ca1eb77d31e6 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:247
    cmd.extend(os.environ.get("TOX_WORKERS", "-n4").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #db8b7565b5ee9d61 Filesystem access.
pkgs/python/[email protected]/tools/write_pyi.py:85
    with open(destination_path, "w") as buf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a9af5dfb045c4588 Filesystem access.
pkgs/python/[email protected]/tools/write_pyi.py:305
            sys.stdout.write(f_path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #97d206c037324bed Filesystem access.
pkgs/python/[email protected]/tools/write_pyi.py:352
        with open(self.path) as read_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #cc1206ef95497c15 Filesystem access.
pkgs/python/[email protected]/tools/write_pyi.py:392
        with open(self.path) as read_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

anthropic

python dependency
expand_more 37 low-confidence finding(s)
low env_fs dependency Excluded from app score #45f36c5348599a02 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:93
            api_key = os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #022a1228b3d17d22 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:97
            auth_token = os.environ.get("ANTHROPIC_AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba54ebd46840fa03 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:101
            base_url = os.environ.get("ANTHROPIC_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c592c108d980b59a Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:333
            api_key = os.environ.get("ANTHROPIC_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef7630f52d41e0dd Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:337
            auth_token = os.environ.get("ANTHROPIC_AUTH_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e9949d890e886a5 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_client.py:341
            base_url = os.environ.get("ANTHROPIC_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3507236daaa97996 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:67
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2dfe8460a947c243 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:79
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96f26b0f1f9982e7 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:109
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75227f77fd6c2550 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_files.py:121
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a3689272846b7db Filesystem access.
pkgs/python/[email protected]/src/anthropic/_legacy_response.py:464
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37cc3298a4689fe9 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_legacy_response.py:477
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1dabc8a4a6f07d68 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_models.py:110
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #668f919b3a04b782 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_response.py:537
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #666d342fc3df00fa Filesystem access.
pkgs/python/[email protected]/src/anthropic/_response.py:579
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa394786659122f5 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/_utils/_logs.py:17
    env = os.environ.get("ANTHROPIC_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b5eb7cb5ccac858 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_utils/_transform.py:248
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b73c7449a2f0fbb6 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_utils/_transform.py:414
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce8fb09fd4882853 Filesystem access.
pkgs/python/[email protected]/src/anthropic/_utils/_utils.py:367
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f13688e7f8a85aa2 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/_files.py:25
        files.append((path.relative_to(relative_to).as_posix(), path.read_bytes()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e1671b0d3a8678f Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/_files.py:42
        files.append((path.relative_to(relative_to).as_posix(), await path.read_bytes()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83b5ef7d4dad2740 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:75
    aws_region = os.environ.get("AWS_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #504aafe2222821fc Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:170
            base_url = os.environ.get("ANTHROPIC_BEDROCK_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db180f91f7dd6e2e Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/bedrock/_client.py:312
            base_url = os.environ.get("ANTHROPIC_BEDROCK_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed84c9e390c52bcf Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:146
        api_key = api_key if api_key is not None else os.environ.get("ANTHROPIC_FOUNDRY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b52246529e44344d Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:147
        resource = resource if resource is not None else os.environ.get("ANTHROPIC_FOUNDRY_RESOURCE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cd1fb8901b5fb5b Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:148
        base_url = base_url if base_url is not None else os.environ.get("ANTHROPIC_FOUNDRY_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6365eb8140e81fb Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:323
        api_key = api_key if api_key is not None else os.environ.get("ANTHROPIC_FOUNDRY_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be0ab1672b8d6982 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:324
        resource = resource if resource is not None else os.environ.get("ANTHROPIC_FOUNDRY_RESOURCE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58002724c1046512 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/foundry.py:325
        base_url = base_url if base_url is not None else os.environ.get("ANTHROPIC_FOUNDRY_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #803519893b083490 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/_beta_builtin_memory_tool.py:316
        return full_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #07fbe103c6639f39 Filesystem access.
pkgs/python/[email protected]/src/anthropic/lib/tools/_beta_builtin_memory_tool.py:609
        return await full_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2123096a48ce084f Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:44
        project_id = os.environ.get("ANTHROPIC_VERTEX_PROJECT_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #975838536c1dc6fc Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:111
            region = os.environ.get("CLOUD_ML_REGION", NOT_GIVEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b792bd743b060bd0 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:118
            base_url = os.environ.get("ANTHROPIC_VERTEX_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36a8b55d77ebbc55 Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:256
            region = os.environ.get("CLOUD_ML_REGION", NOT_GIVEN)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #572689f538afb0ba Environment-variable access.
pkgs/python/[email protected]/src/anthropic/lib/vertex/_client.py:263
            base_url = os.environ.get("ANTHROPIC_VERTEX_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

authlib

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #20e39231a2e11e06 Environment-variable access.
pkgs/python/[email protected]/authlib/common/security.py:15
    if os.getenv("AUTHLIB_INSECURE_TRANSPORT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

azure-ai-documentintelligence

python dependency
expand_more 212 low-confidence finding(s)
low env_fs dependency Excluded from app score #c318b0a926bc344f Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_barcodes_async.py:65
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40fac86584f8a9db Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_barcodes_async.py:66
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20fa186c7990edd2 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_barcodes_async.py:72
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #44f58a07bb9c1175 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_fonts_async.py:67
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21b154ce79cb30e4 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_fonts_async.py:68
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0f0ccd04c0a7ed7 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_fonts_async.py:73
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9db0eb487e0796df Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_formulas_async.py:65
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0911b7a9f211a11d Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_formulas_async.py:66
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #928368344b31b893 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_formulas_async.py:72
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5583d0804f6d8675 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_highres_async.py:80
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a81e03e9113ecbf1 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_highres_async.py:81
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42ea9b02c2fa9432 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_highres_async.py:87
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10864ce9bd5cf325 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_languages_async.py:59
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #564ec23527e2c316 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_languages_async.py:60
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d034d41b2af279b Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_languages_async.py:66
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37a1c279d649ebba Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_query_fields_async.py:51
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9249d94dcfb8b7f4 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_addon_query_fields_async.py:52
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ff49d5681587485 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_batch_documents_async.py:53
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bd3ab091912cfb7 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_batch_documents_async.py:54
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef780e0215b0ab9b Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_batch_documents_async.py:55
    result_container_sas_url = os.environ["RESULT_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9a80e12bb12fd51 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_batch_documents_async.py:56
    batch_training_data_container_sas_url = os.environ["TRAINING_DATA_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eaa96b84bc6a10bc Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:65
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b077489ff9ccdbc Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:66
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1468ae7001b5c293 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:67
    model_id = os.getenv("CUSTOM_BUILT_MODEL_ID", custom_model_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bb1c503f0f1fe61 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:72
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c244e77c08a8eaf6 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:153
    if os.getenv("DOCUMENTINTELLIGENCE_STORAGE_ADVANCED_CONTAINER_SAS_URL") and not os.getenv("CUSTOM_BUILT_MODEL_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ec6a6b0dec8a1cf Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:163
        endpoint = os.getenv("DOCUMENTINTELLIGENCE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57fe80df5bc7c7ed Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:164
        key = os.getenv("DOCUMENTINTELLIGENCE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cb2adea5beffb51 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:169
        blob_container_sas_url = os.getenv("DOCUMENTINTELLIGENCE_STORAGE_ADVANCED_CONTAINER_SAS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71ba6a6623523741 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_custom_documents_async.py:170
        blob_prefix = os.getenv("DOCUMENTINTELLIGENCE_STORAGE_PREFIX")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53107b95fbd98650 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_documents_output_in_markdown_async.py:32
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #892bcb830d98cbe7 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_documents_output_in_markdown_async.py:33
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0f36d3e46d66f44 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_general_documents_async.py:69
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c750e95553327b6b Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_general_documents_async.py:70
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5afc355ca213cad8 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_general_documents_async.py:74
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e42429bbb99ca498 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_identity_documents_async.py:44
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9eb2827906a099cb Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_identity_documents_async.py:45
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8345c75cf1b1659e Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_identity_documents_async.py:49
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21afa74dbbd36c33 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_invoices_async.py:44
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3917c2c9eb248d47 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_invoices_async.py:45
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c26692c4f085e572 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_invoices_async.py:49
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0b42a0e4a8d7a53 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_invoices_from_bytes_source_async.py:44
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6cc965b1711dfe5c Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_invoices_from_bytes_source_async.py:45
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54843e91714c6369 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_invoices_from_bytes_source_async.py:49
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e2d8aa941784f48 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_layout_async.py:73
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e419f87b873a8d9 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_layout_async.py:74
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f3bdef720df7d3b Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_layout_async.py:78
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bd130a797956b27 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_read_async.py:69
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02bca38a1f88ff49 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_read_async.py:70
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d76d5effd316becf Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_read_async.py:74
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc983ef62aefd638 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_receipts_async.py:51
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a4d74889785dbf7 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_receipts_async.py:52
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ab413c55172561f Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_receipts_async.py:56
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3a611cd63e5a597 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_receipts_from_url_async.py:40
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0aee20832039f25 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_receipts_from_url_async.py:41
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01d230663cb5af63 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_figures_async.py:44
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06a2e2697c0f63b1 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_figures_async.py:45
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50b34c69ba114a9b Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_figures_async.py:50
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9a7d4f4ec667816 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_figures_async.py:65
                    with open(f"{figure.id}_async.png", "wb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ecf46bbb1ae61d4b Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_pdf_async.py:44
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14d101ca538c19ed Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_pdf_async.py:45
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d47a717d2c77658 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_pdf_async.py:50
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfc05417198a8346 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_result_pdf_async.py:62
        with open("async_analyze_result.pdf", "wb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #352e06654629f2cd Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_tax_us_w2_async.py:48
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c1a0eae2a254f44 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_tax_us_w2_async.py:49
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b257bd8a33a26f4 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_analyze_tax_us_w2_async.py:53
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7306eea55e808027 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:49
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8457316150ea186b Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:50
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1651e6679fe4e92 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:51
    classifier_id = os.getenv("CLASSIFIER_ID", classifier_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9efc14045798eb60 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:55
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be6fb00b25615e2a Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:71
    if os.getenv("DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL") and not os.getenv("CUSTOM_BUILT_MODEL_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc07c5d17d670bbe Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:81
        endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bafdf1c84f86a176 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:82
        key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cccf1abd8819218e Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_classify_document_async.py:83
        blob_container_sas_url = os.environ["DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12988a892f079222 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:55
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e4e475f7dc8d221 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:56
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a4ab9575a693b4f Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:57
    container_sas_url = os.environ["DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67a9b8eb2e6b44cc Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:138
    if os.getenv("DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL") and not os.getenv("CUSTOM_BUILT_MODEL_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7cbfdec1a258f323 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:148
        endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #550013e7e7041cab Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:149
        key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e133e9107d2d035 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_compose_model_async.py:150
        blob_container_sas_url = os.environ["DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b325cf638dd7fe5 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_convert_to_and_from_dict_async.py:44
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acbe6ce52e5e7d2a Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_convert_to_and_from_dict_async.py:45
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd78983a47901839 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_convert_to_and_from_dict_async.py:49
        with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00ed92e46d590cc2 Filesystem access.
pkgs/python/[email protected]/samples/async_samples/sample_convert_to_and_from_dict_async.py:57
    with open("data.json", "w") as output_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b16848331baa0ee1 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:40
    source_endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1782a869bf993a0 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:41
    source_key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e923e46d6bfdfb59 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:42
    target_endpoint = os.environ["DOCUMENTINTELLIGENCE_TARGET_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3f23fd59db4c052 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:43
    target_key = os.environ["DOCUMENTINTELLIGENCE_TARGET_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2325b3bed2e77cee Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:44
    source_model_id = os.getenv("AZURE_SOURCE_MODEL_ID", custom_model_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1093fc76978784f2 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:90
    if os.getenv("DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL") and not os.getenv("CUSTOM_BUILT_MODEL_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3d0746f8f6d4f7f Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:100
        endpoint = os.getenv("DOCUMENTINTELLIGENCE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a953604e24a3118 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:101
        key = os.getenv("DOCUMENTINTELLIGENCE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d4cc8f9bf2cd78b Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_copy_model_to_async.py:106
        blob_container_sas_url = os.getenv("DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #581bad829f3cf11b Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_get_raw_response_async.py:30
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #729b27f4fca58561 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_get_raw_response_async.py:31
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f347ed81d3e82a35 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_manage_classifiers_async.py:40
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9e99e6dbb459f1c Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_manage_classifiers_async.py:41
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a28d0ef1a241476a Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_manage_classifiers_async.py:42
    container_sas_url = os.environ["DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #faee8cb6a1202a34 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_manage_models_async.py:41
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b37cab6069a6cb1c Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_manage_models_async.py:42
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #426d4fb4e228997f Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_manage_models_async.py:43
    container_sas_url = os.environ["DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea9d1cbd2b9f8c5d Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_send_request_async.py:31
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bf1cc99b7278682 Environment-variable access.
pkgs/python/[email protected]/samples/async_samples/sample_send_request_async.py:32
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ba1db68c5cb9d74 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_barcodes.py:58
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4aa709145d4372f3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_barcodes.py:59
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c240823ef3ae954b Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_addon_barcodes.py:64
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37d39b5a08dd22f6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_fonts.py:65
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e9dbbd5a7237df4 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_fonts.py:66
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e375183f997ef80 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_addon_fonts.py:70
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71b1400ceda71915 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_formulas.py:63
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7421d43755b3037 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_formulas.py:64
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39c9c1249295afe0 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_addon_formulas.py:69
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51080224fd432914 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_highres.py:69
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f611b04d932fdb3e Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_highres.py:70
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd256d227a81760c Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_addon_highres.py:75
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #659e64e05ee43987 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_languages.py:58
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28779655758b087e Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_languages.py:59
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ad03a10f6fdaaa6 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_addon_languages.py:64
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #676bb9def14429ed Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_query_fields.py:51
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03a22266b5e5c293 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_addon_query_fields.py:52
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8339187cb07a63f2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_batch_documents.py:52
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37728403f703b0a8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_batch_documents.py:53
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f858ab8ce2f8b3a6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_batch_documents.py:54
    result_container_sas_url = os.environ["RESULT_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c5347db8c282f31 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_batch_documents.py:55
    batch_training_data_container_sas_url = os.environ["TRAINING_DATA_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edeaf5808f266b65 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:64
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f50ede992de91001 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:65
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ce765f596d3a161 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:66
    model_id = os.getenv("CUSTOM_BUILT_MODEL_ID", custom_model_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54cc060e2353b3d6 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:71
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4c1aaebaed52813 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:162
        if os.getenv("DOCUMENTINTELLIGENCE_STORAGE_ADVANCED_CONTAINER_SAS_URL") and not os.getenv(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f904008265102571 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:162
        if os.getenv("DOCUMENTINTELLIGENCE_STORAGE_ADVANCED_CONTAINER_SAS_URL") and not os.getenv(
            "CUSTOM_BUILT_MODEL_ID"
        ):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #045e13eed27f7a9f Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:174
            endpoint = os.getenv("DOCUMENTINTELLIGENCE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b65818fc1061d810 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:175
            key = os.getenv("DOCUMENTINTELLIGENCE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f798c97d1d76de1 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:183
            blob_container_sas_url = os.getenv("DOCUMENTINTELLIGENCE_STORAGE_ADVANCED_CONTAINER_SAS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8a907a5cc8f462d Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_custom_documents.py:184
            blob_prefix = os.getenv("DOCUMENTINTELLIGENCE_STORAGE_PREFIX")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c527cced0e7bfe2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_documents_output_in_markdown.py:32
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82c2f2ba3713aae4 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_documents_output_in_markdown.py:33
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c8d462dca734012 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_general_documents.py:59
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48438f0ce088cfc7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_general_documents.py:60
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546899f8445c42a4 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_general_documents.py:63
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cdfd4ff6cb1d0bf Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_identity_documents.py:42
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9239b53ea052ca2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_identity_documents.py:43
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79026457766ae69c Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_identity_documents.py:46
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4162d08e86c17390 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_invoices.py:43
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04d2298370211ebb Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_invoices.py:44
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed64e1138112dafd Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_invoices.py:47
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f2898fc17ec4e98 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_invoices_from_bytes_source.py:42
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea8243c06a2ef3d9 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_invoices_from_bytes_source.py:43
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70091591c2dc6d5e Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_invoices_from_bytes_source.py:46
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eba8188931e6d385 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_layout.py:56
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73e394c89fa6a395 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_layout.py:57
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #285175c3c56a01cd Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_layout.py:60
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4ec4bed15e9a47e Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_read.py:67
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cc18c8c7817e7fe Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_read.py:68
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a9ee2e130074e58 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_read.py:71
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d3f15d5e37b1370 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_receipts.py:49
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7eb22951ecc765bb Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_receipts.py:50
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b047e667423a88c2 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_receipts.py:53
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dafab23af1033390 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_receipts_from_url.py:40
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b1c73f1c8510f9e Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_receipts_from_url.py:41
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb4fe60c09a1bdeb Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_result_figures.py:43
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ec0bf776347315c Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_result_figures.py:44
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76090b2f49198d86 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_result_figures.py:48
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4126a49ff071998 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_result_figures.py:63
                with open(f"{figure.id}.png", "wb") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d85392213e3492b Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_result_pdf.py:43
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #692fe491f4722dd0 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_result_pdf.py:44
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b51352024c0c7f8 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_result_pdf.py:48
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc19d33646c4b145 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_result_pdf.py:58
    with open("analyze_result.pdf", "wb") as writer:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7530b1c366738add Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_tax_us_w2.py:46
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fef3b70c77acbb13 Environment-variable access.
pkgs/python/[email protected]/samples/sample_analyze_tax_us_w2.py:47
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ec1d0d9d34125b7 Filesystem access.
pkgs/python/[email protected]/samples/sample_analyze_tax_us_w2.py:50
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdc6f03b5f4ea5d5 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:48
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #546f672593e580a3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:49
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c74905730d42ff82 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:50
    classifier_id = os.getenv("CLASSIFIER_ID", classifier_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa4bdf6b9b03ba16 Filesystem access.
pkgs/python/[email protected]/samples/sample_classify_document.py:53
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #824bdf10c3ba0cd7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:76
        if os.getenv("DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL") and not os.getenv("CLASSIFIER_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67dd5cb371e73116 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:85
            endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa6317a9c679ed53 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:86
            key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a9f64e9e70bf959 Environment-variable access.
pkgs/python/[email protected]/samples/sample_classify_document.py:87
            blob_container_sas_url = os.environ["DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d3c53ae32706318 Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:55
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24185207541488d9 Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:56
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #65bc624fcad59be7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:57
    container_sas_url = os.environ["DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fbbb739ce660853f Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:58
    classifier_id = os.getenv("CLASSIFIER_ID", classifier_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #759a509dd3bca1a9 Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:145
        if os.getenv("DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL") and not os.getenv("CLASSIFIER_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ac263fb56a42363 Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:154
            endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5c3687818bdc10c Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:155
            key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #963889b547b0581f Environment-variable access.
pkgs/python/[email protected]/samples/sample_compose_model.py:156
            blob_container_sas_url = os.environ["DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e5d13a58fff9f615 Environment-variable access.
pkgs/python/[email protected]/samples/sample_convert_to_and_from_dict.py:43
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5435efac1614544 Environment-variable access.
pkgs/python/[email protected]/samples/sample_convert_to_and_from_dict.py:44
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72f1fd6b121d984f Filesystem access.
pkgs/python/[email protected]/samples/sample_convert_to_and_from_dict.py:47
    with open(path_to_sample_documents, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6a8877622482c49 Filesystem access.
pkgs/python/[email protected]/samples/sample_convert_to_and_from_dict.py:55
    with open("data.json", "w") as output_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a12f7883d6f84c7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:40
    source_endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09fb70c0d108c270 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:41
    source_key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80eb723bcc34de90 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:42
    target_endpoint = os.environ["DOCUMENTINTELLIGENCE_TARGET_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca587b923eaf0c34 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:43
    target_key = os.environ["DOCUMENTINTELLIGENCE_TARGET_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bf788adb5399417 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:44
    source_model_id = os.getenv("AZURE_SOURCE_MODEL_ID", custom_model_id)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0fc4cf3760959b9 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:94
        if os.getenv("DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL") and not os.getenv("AZURE_SOURCE_MODEL_ID"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be815b0551612448 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:104
            endpoint = os.getenv("DOCUMENTINTELLIGENCE_ENDPOINT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13d7409f391c5ca6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:105
            key = os.getenv("DOCUMENTINTELLIGENCE_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa782f535c663bd3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_copy_model_to.py:113
            blob_container_sas_url = os.getenv("DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d719ee1807df99a Environment-variable access.
pkgs/python/[email protected]/samples/sample_get_raw_response.py:30
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18b60ca31f470f60 Environment-variable access.
pkgs/python/[email protected]/samples/sample_get_raw_response.py:31
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7edd7ef2b8dec02 Environment-variable access.
pkgs/python/[email protected]/samples/sample_manage_classifiers.py:40
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c1bf02e9c527aff Environment-variable access.
pkgs/python/[email protected]/samples/sample_manage_classifiers.py:41
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b333de9aece1024 Environment-variable access.
pkgs/python/[email protected]/samples/sample_manage_classifiers.py:42
    container_sas_url = os.environ["DOCUMENTINTELLIGENCE_TRAINING_DATA_CLASSIFIER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41c53e23104f2d60 Environment-variable access.
pkgs/python/[email protected]/samples/sample_manage_models.py:41
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bba81e4e72d1a22 Environment-variable access.
pkgs/python/[email protected]/samples/sample_manage_models.py:42
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bffe396879c035e Environment-variable access.
pkgs/python/[email protected]/samples/sample_manage_models.py:43
    container_sas_url = os.environ["DOCUMENTINTELLIGENCE_STORAGE_CONTAINER_SAS_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b096f29f6edf8ae Environment-variable access.
pkgs/python/[email protected]/samples/sample_send_request.py:31
    endpoint = os.environ["DOCUMENTINTELLIGENCE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0fc3a1b030b6932 Environment-variable access.
pkgs/python/[email protected]/samples/sample_send_request.py:32
    key = os.environ["DOCUMENTINTELLIGENCE_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba151a9f77388437 Filesystem access.
pkgs/python/[email protected]/setup.py:22
with open(os.path.join(package_folder_path, "_version.py"), "r") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #503b2805e41f5274 Filesystem access.
pkgs/python/[email protected]/setup.py:33
    long_description=open("README.md", "r").read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

azure-identity

python dependency
expand_more 105 low-confidence finding(s)
low env_fs dependency Excluded from app score #9821ce74f8f407b0 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/app_service.py:22
    url = os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c98e218de96f8bfc Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/app_service.py:23
    secret = os.environ.get(EnvironmentVariables.IDENTITY_HEADER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c832cbb639cd5df1 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azd_cli.py:239
        path = os.environ.get("SYSTEMROOT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0259157ffc02f38 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azd_cli.py:322
            "env": dict(os.environ, NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed9d6b8b50a851d3 Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_arc.py:52
    with open(key_file, "r", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6218243e641f582 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_arc.py:74
        program_data_path = os.environ.get("PROGRAMDATA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0a31bfc341a9cb7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_cli.py:240
        path = os.environ.get("SYSTEMROOT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27d555d8cfbf8bb5 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_cli.py:278
            "env": dict(os.environ, AZURE_CORE_NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2f68c5a3999a44c Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_ml.py:23
    url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c1898d4dfc2bdd2 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_ml.py:24
    secret = os.environ.get(EnvironmentVariables.MSI_SECRET)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f9926029b316786 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_pipelines.py:25
    base_uri = os.environ[SYSTEM_OIDCREQUESTURI].rstrip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba971cf96d0cde56 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/azure_pipelines.py:37
    if SYSTEM_OIDCREQUESTURI not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #890fae6a46c81f45 Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/certificate.py:149
        with open(certificate_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22eb716bda020bcc Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/cloud_shell.py:34
        url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c6a20fb9a24cbda Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:154
            "interactive_browser_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8b08fd12754c952f Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:158
            "managed_identity_client_id", os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0082e32f55fb938d Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:162
            "workload_identity_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #894bdee436fafdcf Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:166
        broker_tenant_id = kwargs.pop("broker_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03094e704b800231 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:169
        shared_cache_username = kwargs.pop("shared_cache_username", os.environ.get(EnvironmentVariables.AZURE_USERNAME))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d5396185e5f8450 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:171
            "shared_cache_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5c782cdeec4f829 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:176
        token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a00bd5c40d4d87b Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/default.py:268
                        token_file_path=os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb8e198fe9d518f9 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:63
        if all(os.environ.get(v) is not None for v in EnvironmentVariables.CLIENT_SECRET_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4344505a7f7f9a8 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:65
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9642730a82387095 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:66
                client_secret=os.environ[EnvironmentVariables.AZURE_CLIENT_SECRET],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #284b5bc84d4edd47 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:67
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60acfa19a1dae94e Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:70
        elif all(os.environ.get(v) is not None for v in EnvironmentVariables.CERT_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3935c28aa22808a3 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:72
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a4b37f8057d9a72 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:73
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf82bbc0a2e73de1 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:74
                certificate_path=os.environ[EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PATH],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b17529d1c9be2a6e Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:75
                password=os.environ.get(EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PASSWORD),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1692eb18b299c951 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:77
                    os.environ.get(EnvironmentVariables.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN, False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1872153252e1dba7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:81
        elif all(os.environ.get(v) is not None for v in EnvironmentVariables.USERNAME_PASSWORD_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b28079d4fe878683 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:83
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0c548f954475894 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:84
                username=os.environ[EnvironmentVariables.AZURE_USERNAME],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4c39afc03daac84 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:85
                password=os.environ[EnvironmentVariables.AZURE_PASSWORD],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f801fee4fafb9e68 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:86
                tenant_id=os.environ.get(EnvironmentVariables.AZURE_TENANT_ID),  # optional for username/password auth

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62039e8da2c9d459 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/environment.py:106
            set_variables = [v for v in expected_variables if v in os.environ]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ea339045a70f983 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/imds.py:60
        os.environ.get(EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST, IMDS_AUTHORITY).strip("/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5850358e5d654831 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/imds.py:90
        if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #142f4a046072f10a Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:82
        if os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0152e6fb7f1b3950 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:83
            if os.environ.get(EnvironmentVariables.IDENTITY_HEADER):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e18b6bc18c90f03a Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:84
                if os.environ.get(EnvironmentVariables.IDENTITY_SERVER_THUMBPRINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2efc135ed0857f9d Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:98
            elif os.environ.get(EnvironmentVariables.IMDS_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d57233d9b5c28941 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:103
        elif os.environ.get(EnvironmentVariables.MSI_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08e59dbabc1d0e4f Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:104
            if os.environ.get(EnvironmentVariables.MSI_SECRET):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f1db470cf91e071 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:115
            all(os.environ.get(var) for var in EnvironmentVariables.WORKLOAD_IDENTITY_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e4be70eeef8e42a Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:120
            workload_client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf2c1a1b38498e68 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:131
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c416d4d44d486e7a Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/managed_identity.py:133
                token_file_path=os.environ[EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82a8bce8da2572c4 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/service_fabric.py:42
    url = os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d1d3ffe20369090 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/service_fabric.py:43
    secret = os.environ.get(EnvironmentVariables.IDENTITY_HEADER)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7835c5026c8a1d51 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/service_fabric.py:44
    thumbprint = os.environ.get(EnvironmentVariables.IDENTITY_SERVER_THUMBPRINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #330e88687f5aea82 Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/vscode.py:50
            with open(expanded_path, "r", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e7fcfb7a61ca705 Filesystem access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:33
            with open(self._token_file_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bcd4a47fc251cbd Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:79
        tenant_id = tenant_id or os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c8004ed958376b2 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:80
        client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #763be3adf8732ecf Environment-variable access.
pkgs/python/[email protected]/azure/identity/_credentials/workload_identity.py:81
        token_file_path = token_file_path or os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f50fea6dce60230 Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/msal_credentials.py:39
        self._regional_authority = os.environ.get(EnvironmentVariables.AZURE_REGIONAL_AUTHORITY_NAME)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88f15a3cf80792da Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/utils.py:90
    authority = os.environ.get(EnvironmentVariables.AZURE_AUTHORITY_HOST, KnownAuthorities.AZURE_PUBLIC_CLOUD)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #127d5752d0fc468d Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/utils.py:151
    if default_tenant == "adfs" or os.environ.get(EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #204b82dcf7e9d55c Environment-variable access.
pkgs/python/[email protected]/azure/identity/_internal/utils.py:207
    token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db12520f51dc219b Environment-variable access.
pkgs/python/[email protected]/azure/identity/_persistent_cache.py:88
    if sys.platform.startswith("win") and "LOCALAPPDATA" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5938c1bbb770e7d Environment-variable access.
pkgs/python/[email protected]/azure/identity/_persistent_cache.py:89
        cache_location = os.path.join(os.environ["LOCALAPPDATA"], ".IdentityService", cache_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1711426c29b5326f Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azd_cli.py:221
            env=dict(os.environ, NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddbc162f50d39977 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azure_arc.py:19
        url = os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2df92d33c003c2d Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azure_arc.py:20
        imds = os.environ.get(EnvironmentVariables.IMDS_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90df626530fc333a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/azure_cli.py:226
            env=dict(os.environ, AZURE_CORE_NO_COLOR="true"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54e20d0fb4802f56 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/cloud_shell.py:21
        url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29b097cdc6a93bd8 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:135
        shared_cache_username = kwargs.pop("shared_cache_username", os.environ.get(EnvironmentVariables.AZURE_USERNAME))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eeb6799242614bad Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:137
            "shared_cache_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49cc5a0c5193c56f Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:141
            "managed_identity_client_id", os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #013f54db34c20ef0 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:145
            "workload_identity_tenant_id", os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #deac22a8479d6394 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:150
        token_credentials_env = os.environ.get(EnvironmentVariables.AZURE_TOKEN_CREDENTIALS, "").strip().lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #938220e080f7a98b Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/default.py:231
                        token_file_path=os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2deb0e8b78739513 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:57
        if all(os.environ.get(v) is not None for v in EnvironmentVariables.CLIENT_SECRET_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58b682bbe624deed Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:59
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cac94d7d214ef75a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:60
                client_secret=os.environ[EnvironmentVariables.AZURE_CLIENT_SECRET],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3afb58c1bd7b606b Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:61
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61c9b48e10afe54d Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:64
        elif all(os.environ.get(v) is not None for v in EnvironmentVariables.CERT_VARS):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69b1c687c38e7a44 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:66
                client_id=os.environ[EnvironmentVariables.AZURE_CLIENT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c0d107cca029557 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:67
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ed743b557a2b69c Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:68
                certificate_path=os.environ[EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PATH],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd19547f11b3197a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:69
                password=os.environ.get(EnvironmentVariables.AZURE_CLIENT_CERTIFICATE_PASSWORD),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d18b54f82735f08 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:71
                    os.environ.get(EnvironmentVariables.AZURE_CLIENT_SEND_CERTIFICATE_CHAIN, False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a3037cd036e8dd4 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/environment.py:80
            set_variables = [v for v in expected_variables if v in os.environ]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c7d84540976a0d1 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/imds.py:54
        if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc2c1aa60266b89b Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:54
        if os.environ.get(EnvironmentVariables.IDENTITY_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99a53247ffc0e049 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:55
            if os.environ.get(EnvironmentVariables.IDENTITY_HEADER):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7cad75eb19ca63f9 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:56
                if os.environ.get(EnvironmentVariables.IDENTITY_SERVER_THUMBPRINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2ef05ab4f366b3d Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:70
            elif os.environ.get(EnvironmentVariables.IMDS_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3848ba53e2831a27 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:75
        elif os.environ.get(EnvironmentVariables.MSI_ENDPOINT):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7fcfbbcda189aab7 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:76
            if os.environ.get(EnvironmentVariables.MSI_SECRET):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da722c02407b7d7f Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:87
            all(os.environ.get(var) for var in EnvironmentVariables.WORKLOAD_IDENTITY_VARS)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d52ba7a81d7b516c Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:92
            workload_client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9157585d8bf37c63 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:103
                tenant_id=os.environ[EnvironmentVariables.AZURE_TENANT_ID],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00dd9d08ca2ea00a Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/managed_identity.py:105
                token_file_path=os.environ[EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #badf48a7127b4c21 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/workload_identity.py:57
        tenant_id = tenant_id or os.environ.get(EnvironmentVariables.AZURE_TENANT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be20afe330409e79 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/workload_identity.py:58
        client_id = client_id or os.environ.get(EnvironmentVariables.AZURE_CLIENT_ID)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb0e6c22944e5787 Environment-variable access.
pkgs/python/[email protected]/azure/identity/aio/_credentials/workload_identity.py:59
        token_file_path = token_file_path or os.environ.get(EnvironmentVariables.AZURE_FEDERATED_TOKEN_FILE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c5b60381e1c88ce0 Environment-variable access.
pkgs/python/[email protected]/samples/control_interactive_prompts.py:17
VAULT_URL = os.environ.get("VAULT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a968b912fc01b85 Environment-variable access.
pkgs/python/[email protected]/samples/credential_creation_code_snippets.py:360
        system_access_token=os.environ["SYSTEM_ACCESSTOKEN"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91e6d3bcfb021fe0 Environment-variable access.
pkgs/python/[email protected]/samples/credential_creation_code_snippets.py:374
        system_access_token=os.environ["SYSTEM_ACCESSTOKEN"],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09927ec48b6a5413 Environment-variable access.
pkgs/python/[email protected]/samples/key_vault_cert.py:19
VAULT_URL = os.environ["VAULT_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2ab70535ef6f14f Environment-variable access.
pkgs/python/[email protected]/samples/user_authentication.py:14
VAULT_URL = os.environ.get("VAULT_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

azure-search-documents

python dependency
expand_more 133 low-confidence finding(s)
low env_fs dependency Excluded from app score #108dfebfe8a65029 Environment-variable access.
pkgs/python/[email protected]/samples/sample_agentic_retrieval.py:43
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07f2f3a7943aff02 Environment-variable access.
pkgs/python/[email protected]/samples/sample_agentic_retrieval.py:44
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2f6882b07af0959 Environment-variable access.
pkgs/python/[email protected]/samples/sample_agentic_retrieval.py:45
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb2f615eaac6e5c0 Environment-variable access.
pkgs/python/[email protected]/samples/sample_agentic_retrieval_async.py:44
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d7140f5c8f0296a Environment-variable access.
pkgs/python/[email protected]/samples/sample_agentic_retrieval_async.py:45
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f84bf70ce866a92 Environment-variable access.
pkgs/python/[email protected]/samples/sample_agentic_retrieval_async.py:46
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26ab8d53901066d6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:30
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15beb4e798b6877c Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:31
    index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84c2cd28f829d38b Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:32
    key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5abbffea5400089 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:47
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd10f91705f66ee2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:48
    key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bcb6ca8747d4b25 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:63
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed08ab39c4f8c93d Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:64
    index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #feccb771930307f4 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication.py:80
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c426569e0aeb434 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:31
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38f00b6b9a8a54aa Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:32
    index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #87aa16bf9480b6a8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:33
    key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f23e85e17d7a44d Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:49
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b7b29bb59880554 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:50
    key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9291bb1689679672 Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:66
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9505242540bd75fc Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:67
    index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bde8cd96ae881c4b Environment-variable access.
pkgs/python/[email protected]/samples/sample_authentication_async.py:84
    service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #940b979dc03bed81 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_buffered_sender.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3dc6380d404df29 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_buffered_sender.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc2552ca0315839a Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_buffered_sender.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfdd849daeb338a6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_buffered_sender_async.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e15ebd6ea68940e8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_buffered_sender_async.py:26
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a3e989150ecc102 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_buffered_sender_async.py:27
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e7a9184b5719fb2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_crud.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #645cdb9bf0a3ad3e Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_crud.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96f9ad7acf97f43b Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_crud.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #523cc140c882fa00 Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_crud_async.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cca7857cc9b2ba6a Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_crud_async.py:26
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #576058a447f2867a Environment-variable access.
pkgs/python/[email protected]/samples/sample_documents_crud_async.py:27
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #217e1d3f81aaab9a Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_alias_crud.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c346bf165e881027 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_alias_crud.py:26
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f87370bb56250582 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_alias_crud.py:27
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00905d8ea70b278b Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_alias_crud_async.py:26
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58fd882617d2309f Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_alias_crud_async.py:27
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0d293b6e6fe1951 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_alias_crud_async.py:28
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #124658560f77f13f Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_analyze_text.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d99244b7df3da418 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_analyze_text.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd8f569aa89b7918 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_analyze_text.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #158d49995b82748a Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_analyze_text_async.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a590e5aa0eedf896 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_analyze_text_async.py:26
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f6ed5294a4e2998 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_analyze_text_async.py:27
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90a3c6141d416c0a Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_client_custom_request.py:31
    endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbab36cebc7add46 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_client_custom_request.py:32
    index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99abe80240383b84 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_client_custom_request.py:33
    key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #640677aa7a99b107 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_client_custom_request_async.py:35
    endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63d2b90cf4ac6dda Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_client_custom_request_async.py:36
    index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7451e3b411d2bca5 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_client_custom_request_async.py:37
    key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b67544467f7d710 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_crud.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35123feeaf0c3ab6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_crud.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4afd77f454b97bd Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_crud_async.py:26
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd6d95212b917172 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_crud_async.py:27
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #146f01df15f82e2c Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_synonym_map_crud.py:22
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eacd200e341307c4 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_synonym_map_crud.py:23
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35d1e8c0752ac04a Filesystem access.
pkgs/python/[email protected]/samples/sample_index_synonym_map_crud.py:54
    with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc83597c54e6dff8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_synonym_map_crud_async.py:23
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3e80d0544184a7d Environment-variable access.
pkgs/python/[email protected]/samples/sample_index_synonym_map_crud_async.py:24
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0a5161ae5eaf130 Filesystem access.
pkgs/python/[email protected]/samples/sample_index_synonym_map_crud_async.py:56
    with open(file_path, "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4396a3bd4da31ae Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_crud.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3811c78afccc423 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_crud.py:25
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6245fac02fc662cd Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_crud.py:26
connection_string = os.environ["AZURE_STORAGE_CONNECTION_STRING"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #135275a86fb862f3 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_crud_async.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b4fb97906e96778 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_crud_async.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4972fafe5eaa196b Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_crud_async.py:27
connection_string = os.environ["AZURE_STORAGE_CONNECTION_STRING"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d5fdb4a0009fa50 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_datasource_crud.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4477ef880b74507 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_datasource_crud.py:25
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bf353432615714e Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_datasource_crud.py:26
connection_string = os.environ["AZURE_STORAGE_CONNECTION_STRING"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75a0cd07c51bff2e Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_datasource_crud_async.py:25
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13445e64e3d720fd Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_datasource_crud_async.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b85f6ab01354ea02 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_datasource_crud_async.py:27
connection_string = os.environ["AZURE_STORAGE_CONNECTION_STRING"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49e6d4dab89c6d47 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_workflow.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30c2bdf126af03c8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_workflow.py:25
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3495edfb69c511d Environment-variable access.
pkgs/python/[email protected]/samples/sample_indexer_workflow.py:26
connection_string = os.environ["AZURE_STORAGE_CONNECTION_STRING"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a18f96f3f96c1095 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_autocomplete.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb5b5b40250c041a Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_autocomplete.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b5f6b4dd79408f4 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_autocomplete.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ef1cc041f87a509 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_autocomplete_async.py:26
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d36d3ec1abfa623 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_autocomplete_async.py:27
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63c874482d78a89e Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_autocomplete_async.py:28
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e46b5affe5eff62 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_facets.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #169dea8e291e5e0d Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_facets.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02e1df8b201f46c9 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_facets.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0d9ed3572438ff8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_facets_async.py:26
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a25ca6804f80fad Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_facets_async.py:27
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7bb770848ecb257f Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_facets_async.py:28
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19e12c2c545fb869 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_filter.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ec7379a8b65fa32 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_filter.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91a4db5953f7f822 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_filter.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #366e24d92aa6882e Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_filter_async.py:26
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67e781d35fb12228 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_filter_async.py:27
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f72d80a06519c5f Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_filter_async.py:28
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61f68a9b72058f44 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_semantic.py:22
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #abcfd80e94bb6cce Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_semantic.py:23
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a6b3bddfe51d84d Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_semantic.py:24
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #39fb3a0de26cdae4 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_semantic_async.py:23
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f1bc19375430772 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_semantic_async.py:24
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e05506d9c0fe4ff Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_semantic_async.py:25
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7ade1d3901081e9 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_session.py:22
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9277e2a7ba53186a Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_session.py:23
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4b42617f00598a8 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_session.py:24
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2ac279e1c082ed27 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_session_async.py:23
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #337642c067080ee5 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_session_async.py:24
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0686499b3c65a5e Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_session_async.py:25
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3bf258ba8ede316f Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_simple.py:22
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccd589c3b6c2f35d Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_simple.py:23
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c195759be41f8b2 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_simple.py:24
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79c70b83831737c6 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_simple_async.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7ae80470bbdd951 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_simple_async.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #148ff25f4a57933c Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_simple_async.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d767bb6a16b5cb7 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_suggestions.py:22
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba9da63698645fbe Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_suggestions.py:23
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #175e3fc0f3b7e207 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_suggestions.py:24
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a48ec2bb4b5621eb Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_suggestions_async.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b906588e39f3f488 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_suggestions_async.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26851d80f6d5621b Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_suggestions_async.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19d3c829dd25cd75 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_vector.py:49
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9dd79aea34d28cc Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_vector.py:50
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04c8308df467d398 Filesystem access.
pkgs/python/[email protected]/samples/sample_query_vector.py:60
    with open(query_vector_path, "r", encoding="utf-8") as handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c03ffb28c49932bd Filesystem access.
pkgs/python/[email protected]/samples/sample_query_vector.py:134
    with open(documents_path, "r", encoding="utf-8") as handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2babe42293d0404d Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_vector_async.py:51
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #837f0af1add64777 Environment-variable access.
pkgs/python/[email protected]/samples/sample_query_vector_async.py:52
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34a788ded9dffad5 Filesystem access.
pkgs/python/[email protected]/samples/sample_query_vector_async.py:63
    with open(query_vector_path, "r", encoding="utf-8") as handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f8d7ea25369ccad Filesystem access.
pkgs/python/[email protected]/samples/sample_query_vector_async.py:138
    with open(documents_path, "r", encoding="utf-8") as handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #251feed1f83c893d Environment-variable access.
pkgs/python/[email protected]/samples/sample_search_client_custom_request.py:23
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6c994b29cefd00a Environment-variable access.
pkgs/python/[email protected]/samples/sample_search_client_custom_request.py:24
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8bc539ec013eae34 Environment-variable access.
pkgs/python/[email protected]/samples/sample_search_client_custom_request.py:25
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccef2b2defc13292 Environment-variable access.
pkgs/python/[email protected]/samples/sample_search_client_custom_request_async.py:24
service_endpoint = os.environ["AZURE_SEARCH_SERVICE_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9cabcb70dd98f4ce Environment-variable access.
pkgs/python/[email protected]/samples/sample_search_client_custom_request_async.py:25
index_name = os.environ["AZURE_SEARCH_INDEX_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f9e64bccdc1c189 Environment-variable access.
pkgs/python/[email protected]/samples/sample_search_client_custom_request_async.py:26
key = os.environ["AZURE_SEARCH_API_KEY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

azure-storage-blob

python dependency
expand_more 60 low-confidence finding(s)
low env_fs dependency Excluded from app score #806abd0139eefa88 Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/__init__.py:203
            with open(output, 'wb') as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69441979041589dd Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/_shared/avro/avro_io.py:161
        input_bytes = self.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93329ec38da48282 Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/_shared/avro/avro_io.py:242
            result = decoder.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #885afa9d940a1746 Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/_shared/avro/avro_io_async.py:143
        input_bytes = await self.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54412df8bb1c44a9 Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/_shared/avro/avro_io_async.py:225
            result = await decoder.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2e0f41b804e4cc3 Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/_shared/avro/datafile.py:209
            data = self.raw_decoder.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47dec31cd044f035 Filesystem access.
pkgs/python/[email protected]/azure/storage/blob/aio/__init__.py:149
            with open(output, 'wb') as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72bb35c3c8f45d59 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication.py:30
        os.getenv("STORAGE_ACCOUNT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5848da61aca00c0f Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication.py:33
        os.getenv("OAUTH_STORAGE_ACCOUNT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5519ddaf32d4986 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication.py:36
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c35dce8472974203 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication.py:37
    shared_access_key = os.getenv("STORAGE_ACCOUNT_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d70dd8184895f263 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication_async.py:32
        os.getenv("STORAGE_ACCOUNT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #025eb9b4f550a989 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication_async.py:35
        os.getenv("OAUTH_STORAGE_ACCOUNT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc1008f65f61028e Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication_async.py:38
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac4365d2eb286bcc Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_authentication_async.py:39
    shared_access_key = os.getenv("STORAGE_ACCOUNT_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a86d56a2341e5b69 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_batch_delete_blobs.py:22
    connection_string = os.getenv('STORAGE_CONNECTION_STRING')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c1172f7be95a85a Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_batch_delete_blobs.py:38
        with open(local_path+filename, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #850ccf8bacdf0edd Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_client_side_encryption.py:278
    CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5716e91cfd44ed5 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_client_side_encryption_keyvault.py:44
        return os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fb01341f2bcaabf Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_common.py:32
    connection_string = os.getenv("STORAGE_CONNECTION_STRING_SOFT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1e83821cc299c28 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_common.py:56
        with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a08a759f29c0b6e1 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_common.py:104
        with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7db9657ad0eda0a1 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_common.py:179
        with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ec64b460b10fff5 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_common_async.py:31
    connection_string = os.getenv("STORAGE_CONNECTION_STRING_SOFT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71b9fc9ebfb4de85 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_common_async.py:55
            with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13d27a0d77e81f30 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_common_async.py:103
            with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a71627646f677309 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_common_async.py:179
            with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1c96df798cea506 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_container_access_policy.py:39
    CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a5b04bcfa04ac16 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_container_access_policy_async.py:40
    CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbce7e2f391e3233 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_containers.py:32
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bc8e06c4f7d65c7 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_containers.py:210
        with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22dd9318d9638063 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_containers_async.py:29
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcf6e2c18389a99c Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_containers_async.py:209
            with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93e9f115d0a63085 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_copy_blob.py:25
        CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76ac242949f64f23 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_copy_blob_async.py:26
        CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73d7c61e7c01257c Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_enumerate_blobs.py:24
        CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd07d771084d651e Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_enumerate_blobs_async.py:25
        CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #522d16e51420661a Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_hello_world.py:31
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b795c30653dc5128 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world.py:80
            with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dd34c07c6a238c31 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world.py:85
            with open(DEST_FILE, "wb") as my_blob:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05589ebdde372eb7 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world.py:172
            with open(DEST_FILE, "wb") as my_blob:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17d429b22b6cfb42 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world.py:204
            with open(SOURCE_FILE, "rb") as data:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c7bd0546151d04a Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world.py:208
            with open(DEST_FILE, "wb") as my_blob:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33fa409585ff1cce Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_hello_world_async.py:31
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f2fed7752e55b5e Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world_async.py:84
                with open(SOURCE_FILE, "rb") as source:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8128c004750c633f Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world_async.py:89
                with open(DEST_FILE, "wb") as my_blob:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce823e420dce7447 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world_async.py:180
                with open(DEST_FILE, "wb") as my_blob:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21446eed0ee17c46 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world_async.py:214
                with open(SOURCE_FILE, "rb") as source:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #656138b571f6b2e8 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_hello_world_async.py:218
                with open(DEST_FILE, "wb") as my_blob:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5496c64388be4482 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_network_activity_logging.py:39
connection_string = os.environ.get('STORAGE_CONNECTION_STRING', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a78ebe698251f9d0 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_proxy_configuration.py:32
connection_string = os.environ.get('AZURE_STORAGE_CONNECTION_STRING', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a3459a116d2b8728 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_proxy_configuration.py:59
os.environ[HTTPS_PROXY_ENV_VAR] = https_proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a910c04ff07cdcb0 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_query.py:26
        CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2686289aa79d9d9 Filesystem access.
pkgs/python/[email protected]/samples/blob_samples_query.py:46
    with open(BASE_FILE, "rb") as stream:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63f2369a6e620744 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_service.py:23
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35da1e53ef46f6f5 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_service_async.py:25
    connection_string = os.getenv("STORAGE_CONNECTION_STRING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f052bec3c9daa7c8 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_walk_blob_hierarchy.py:49
    CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9872fc213df97681 Environment-variable access.
pkgs/python/[email protected]/samples/blob_samples_walk_blob_hierarchy_async.py:48
    CONNECTION_STRING = os.environ['STORAGE_CONNECTION_STRING']

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ea5dc7da2b4a057 Filesystem access.
pkgs/python/[email protected]/setup.py:39
with open(os.path.join(package_folder_path, '_version.py'), 'r') as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #040a6906ccc726e2 Filesystem access.
pkgs/python/[email protected]/setup.py:51
    long_description=open('README.md', 'r').read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

black

python dependency
expand_more 42 low-confidence finding(s)
low env_fs dependency Excluded from app score #047b8af7160f4eec Environment-variable access.
pkgs/python/[email protected]/action/main.py:9
ACTION_PATH = Path(os.environ["GITHUB_ACTION_PATH"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be9240b0213749d1 Environment-variable access.
pkgs/python/[email protected]/action/main.py:12
OPTIONS = os.getenv("INPUT_OPTIONS", default="")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4ee44ed37fb9b5b4 Environment-variable access.
pkgs/python/[email protected]/action/main.py:13
SRC = os.getenv("INPUT_SRC", default="")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c06ac329e7173ce Environment-variable access.
pkgs/python/[email protected]/action/main.py:14
JUPYTER = os.getenv("INPUT_JUPYTER") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff7505f5f88f407a Environment-variable access.
pkgs/python/[email protected]/action/main.py:15
BLACK_ARGS = os.getenv("INPUT_BLACK_ARGS", default="")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b8986abbfafef8e Environment-variable access.
pkgs/python/[email protected]/action/main.py:16
VERSION = os.getenv("INPUT_VERSION", default="")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b7d5890e0e83071 Environment-variable access.
pkgs/python/[email protected]/action/main.py:17
USE_PYPROJECT = os.getenv("INPUT_USE_PYPROJECT") == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83c12701513bfceb Environment-variable access.
pkgs/python/[email protected]/action/main.py:18
OUTPUT_FILE = os.getenv("OUTPUT_FILE", default="")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2366b128870bca11 Filesystem access.
pkgs/python/[email protected]/action/main.py:137
    with open(ACTION_PATH / ".git_archival.txt", encoding="utf-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94dabcee925fab51 Filesystem access.
pkgs/python/[email protected]/action/main.py:193
        with open(OUTPUT_FILE, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9698b6cccf8d9360 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:29
    with open(str(template), encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #27bb68b99578633b Filesystem access.
pkgs/python/[email protected]/docs/conf.py:31
    with open(str(target), "w", encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7256c5f62f2248a0 Filesystem access.
pkgs/python/[email protected]/scripts/check_pre_commit_rev_in_example.py:50
    with open("CHANGES.md", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4eca4f24b9ea1637 Filesystem access.
pkgs/python/[email protected]/scripts/check_pre_commit_rev_in_example.py:52
    with open(
        os.path.join("docs", "integrations", "source_version_control.md"),
        encoding="utf-8",
    ) as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a209c0ba4b381722 Filesystem access.
pkgs/python/[email protected]/scripts/check_pre_commit_rev_in_example.py:58
    with open(
        os.path.join("docs", "guides", "using_black_with_jupyter_notebooks.md"),
        encoding="utf-8",
    ) as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #07311ed8e0e11b0e Filesystem access.
pkgs/python/[email protected]/scripts/check_version_in_basics_example.py:47
    with open("CHANGES.md", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f4a22ccd2ada560b Filesystem access.
pkgs/python/[email protected]/scripts/check_version_in_basics_example.py:49
    with open(
        os.path.join("docs", "usage_and_configuration", "the_basics.md"),
        encoding="utf-8",
    ) as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a3dd4562abc4d9eb Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:38
GH_API_TOKEN: Final = os.getenv("GITHUB_TOKEN")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5491538da523edd7 Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:39
REPO: Final = os.getenv("GITHUB_REPOSITORY", default="psf/black")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3233bb8a1d3acc18 Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:50
    if "GITHUB_OUTPUT" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b207e87b14164427 Filesystem access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:58
        with open(os.environ["GITHUB_OUTPUT"], "a") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0f39b537acdc4369 Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:58
        with open(os.environ["GITHUB_OUTPUT"], "a") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5c5773573ea11d7f Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:96
        pr_ref = os.getenv("GITHUB_REF")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6e91a3e728ecc8a0 Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:124
    event = os.getenv("GITHUB_EVENT_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bb6a443c076dc8de Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:130
        target_rev = os.getenv("GITHUB_SHA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #fe0a98d813e41406 Environment-variable access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:174
        run_id = os.getenv("GITHUB_RUN_ID")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1d4a3c09899b5f09 Filesystem access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:194
    with open(filename, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ecacd6296a278210 Filesystem access.
pkgs/python/[email protected]/scripts/diff_shades_gha_helper.py:210
        with open(
            join(dirname(__file__), "..", style_file),
            "r",
            encoding="utf-8",
        ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5fa7b8aecf35c23e Filesystem access.
pkgs/python/[email protected]/scripts/make_width_table.py:52
    with open(table_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02a4c52720ecf4b5 Filesystem access.
pkgs/python/[email protected]/src/black/__init__.py:977
    with open(src, "rb") as buf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57ffaa2a9d96f0f5 Filesystem access.
pkgs/python/[email protected]/src/black/__init__.py:995
        with open(src, "w", encoding=encoding, newline=newline) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c2867fdfb0115ac Environment-variable access.
pkgs/python/[email protected]/src/black/cache.py:43
    cache_dir = Path(os.environ.get("BLACK_CACHE_DIR", default_cache_dir))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d9ba63ccca5acfb Filesystem access.
pkgs/python/[email protected]/src/black/cache.py:91
        data = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02de482ab1797481 Environment-variable access.
pkgs/python/[email protected]/src/black/concurrency.py:92
        workers = int(os.environ.get("BLACK_NUM_WORKERS", 0))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e9274f5caffba5cf Filesystem access.
pkgs/python/[email protected]/src/black/files.py:37
    with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #373ff385165c6790 Environment-variable access.
pkgs/python/[email protected]/src/black/files.py:235
        config_root = os.environ.get("XDG_CONFIG_HOME", "~/.config")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b6356d1aa90e8f7 Filesystem access.
pkgs/python/[email protected]/src/blib2to3/pgen2/conv.py:64
            f = open(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b20bea59a5fd3e86 Filesystem access.
pkgs/python/[email protected]/src/blib2to3/pgen2/conv.py:114
            f = open(filename)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #817bb51ba95f3446 Filesystem access.
pkgs/python/[email protected]/src/blib2to3/pgen2/driver.py:191
        with open(filename, encoding=encoding) as stream:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b69733acdcbc222a Filesystem access.
pkgs/python/[email protected]/src/blib2to3/pgen2/grammar.py:123
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5520e44482fda0d Filesystem access.
pkgs/python/[email protected]/src/blib2to3/pgen2/pgen.py:27
            stream = open(filename, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70b08d6a7652ae22 Filesystem access.
pkgs/python/[email protected]/src/blib2to3/pgen2/tokenize.py:272
        token_iterator = tokenize(open(sys.argv[1]).read())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

boto3

python dependency
expand_more 4 low-confidence finding(s)
low env_fs tooling reachable #2713b26e8809b8de Filesystem access.
pkgs/python/[email protected]/boto3/docs/__init__.py:50
        with open(service_doc_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling reachable #60b7de4db8ea5ff0 Filesystem access.
pkgs/python/[email protected]/boto3/docs/service.py:200
            with open(examples_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8418a98ed79f3d74 Filesystem access.
pkgs/python/[email protected]/setup.py:24
    init = open(os.path.join(ROOT, 'boto3', '__init__.py')).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #406c588e4800b661 Filesystem access.
pkgs/python/[email protected]/setup.py:32
    long_description=open('README.rst').read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

brotlicffi

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #73f6a69d3f571869 Filesystem access.
pkgs/python/[email protected]/setup.py:12
    open("README.rst").read() + '\n\n' + open("HISTORY.rst").read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a968ebb035828d2 Filesystem access.
pkgs/python/[email protected]/setup.py:15
with open(os.path.join(base_dir, "src", "brotlicffi", "__init__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #283a663d9595a0c4 Environment-variable access.
pkgs/python/[email protected]/setup.py:43
USE_SHARED_BROTLI = os.environ.get("USE_SHARED_BROTLI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8aaff0dd696b6e4 Environment-variable access.
pkgs/python/[email protected]/src/brotlicffi/_build.py:8
USE_SHARED_BROTLI = os.environ.get("USE_SHARED_BROTLI")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

chardet

python dependency
expand_more 38 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #1c3cffc8e5245730 Filesystem access.
pkgs/python/[email protected]/scripts/benchmark_char_dataset.py:132
        data = filepath.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #75c1d3f283ce12e2 Filesystem access.
pkgs/python/[email protected]/scripts/benchmark_char_dataset.py:208
        tmp.write_text(
            "import charset_normalizer; print(charset_normalizer.__version__)"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3b7a09f629cf5814 Filesystem access.
pkgs/python/[email protected]/scripts/benchmark_char_dataset.py:243
        script.write_text(_CN_DETECT_SCRIPT)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #61ed4c9849b35c79 Filesystem access.
pkgs/python/[email protected]/scripts/benchmark_char_dataset.py:324
        data_bytes = filepath.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #cccd00b4a2271ac9 Filesystem access.
pkgs/python/[email protected]/scripts/benchmark_char_dataset.py:413
    return hashlib.sha256(filepath.read_bytes()).hexdigest()[:12]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f427720901de65a5 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:95
                cn_hashes.add(_norm_hash(f.read_bytes()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0d87137658a8b8e1 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:101
        if _norm_hash(fp.read_bytes()) in cn_hashes

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #8201fb6488f06ad1 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:139
        h.update(p.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c8714696552a268e Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:223
        tmp.write_text(script)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3faa22c5fd4988c7 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:249
        tmp.write_text(script)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #72b7c10342929272 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:282
        tmp.write_text(script)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6b5bea10f133ccc8 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:317
            tmp.write_text("import chardet; print(chardet.__version__)")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ef8d9f2eaba52b99 Environment-variable access.
pkgs/python/[email protected]/scripts/compare_detectors.py:375
        if os.environ.get("HATCH_BUILD_HOOK_ENABLE_MYPYC", "").lower() in (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a3e5e13ca15b7182 Filesystem access.
pkgs/python/[email protected]/scripts/compare_detectors.py:719
        and is_equivalent_detection(filepath.read_bytes(), expected_encoding, detected)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #2cd384a9b3ff4880 Environment-variable access.
pkgs/python/[email protected]/scripts/compare_detectors.py:1313
            k: v for k, v in os.environ.items() if k != "HATCH_BUILD_HOOK_ENABLE_MYPYC"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1f24114fc166726c Environment-variable access.
pkgs/python/[email protected]/scripts/compare_detectors.py:1334
            env={**os.environ, "HATCH_BUILD_HOOK_ENABLE_MYPYC": "true"},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ff811626b81b4a0f Filesystem access.
pkgs/python/[email protected]/scripts/confusion_training.py:209
    data = input_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f3576e93b06a8a24 Filesystem access.
pkgs/python/[email protected]/scripts/data_sources.py:154
        texts.append(p.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #dc17f4985c43715b Filesystem access.
pkgs/python/[email protected]/scripts/data_sources.py:161
    (cache_dir / f"{index:06d}.txt").write_text(text, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3e21305c5de349f9 Filesystem access.
pkgs/python/[email protected]/scripts/data_sources.py:176
    (cache_dir / _SENTINEL_FILE).write_text(
        _hash_exclusion_set(exclusions) + "\n",
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #cd863fc4d8dd9af0 Filesystem access.
pkgs/python/[email protected]/scripts/data_sources.py:187
    stored = sentinel.read_text(encoding="utf-8").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ea3a092da3fc16c0 Filesystem access.
pkgs/python/[email protected]/scripts/diagnose_accuracy.py:73
        data = filepath.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d0e7e5f02661a50b Filesystem access.
pkgs/python/[email protected]/scripts/exclusions.py:81
                raw_bytes = filepath.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9b603fb9821394d3 Filesystem access.
pkgs/python/[email protected]/scripts/profile_detection.py:65
        data = filepath.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1096e47ead9a5a6b Filesystem access.
pkgs/python/[email protected]/scripts/profile_detection.py:75
        warmup_data = test_files[0][2].read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #73cd262aea537112 Filesystem access.
pkgs/python/[email protected]/scripts/profile_detection.py:83
        data = filepath.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a29a1bfa1b89bed9 Environment-variable access.
pkgs/python/[email protected]/scripts/profile_detection.py:330
            env={**os.environ, "HATCH_BUILD_HOOK_ENABLE_MYPYC": "true"},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7bcb99d281376271 Environment-variable access.
pkgs/python/[email protected]/scripts/profile_detection.py:368
                **os.environ,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3540b4e62e96252e Environment-variable access.
pkgs/python/[email protected]/scripts/profile_detection.py:370
                "PATH": f"{venv_dir / 'bin'}:{os.environ.get('PATH', '')}",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aec8223deb8bf515 Filesystem access.
pkgs/python/[email protected]/scripts/train.py:163
    data = input_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f17ea6929b5c890f Filesystem access.
pkgs/python/[email protected]/scripts/train.py:383
    path.write_text("\n".join(lines) + "\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #27f07d9929e86be5 Filesystem access.
pkgs/python/[email protected]/scripts/utils.py:76
        (local_data / _REF_FILE).write_text(ref_label + "\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #25db0ff4e65cfcbd Filesystem access.
pkgs/python/[email protected]/scripts/utils.py:99
        if ref_file.is_file() and ref_file.read_text().strip() == desired_label:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a0333c8188c0841e Filesystem access.
pkgs/python/[email protected]/scripts/utils.py:270
    return [(enc, lang, fp, fp.read_bytes()) for enc, lang, fp in test_files]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #137e41e1ecc8e51d Filesystem access.
pkgs/python/[email protected]/scripts/verify_no_overlap.py:45
                text = article_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c78fbc9744cd966f Filesystem access.
pkgs/python/[email protected]/src/chardet/models/__init__.py:104
    data = ref.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba39ddf1fc1d871d Filesystem access.
pkgs/python/[email protected]/src/chardet/models/__init__.py:195
    data = ref.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cf7fd15d5c7d908 Filesystem access.
pkgs/python/[email protected]/src/chardet/pipeline/confusion.py:121
    raw = ref.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

cryptography

python dependency
expand_more 26 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #27f4ea9e8dc000d3 Filesystem access.
pkgs/python/[email protected]/docs/conf.py:88
with open(os.path.join(base_dir, "src", "cryptography", "__about__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #cf80c274727f3892 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py:52
    with open(filename) as vector_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b0ba755182d9b48b Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/aes-192-gcm-siv/generate_aes192gcmsiv.py:81
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #69165c8031c5c577 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/arc4/generate_arc4.py:92
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #8b58227a6eb96e5e Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/cast5/generate_cast5.py:28
    with open(filename) as vector_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4986c86bf9c40dcc Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/cast5/generate_cast5.py:52
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a3ccf75e9fd16a40 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py:42
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #8d87625d5b4816d0 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py:49
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3ecca1a3263c5a91 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/hkdf/generate_hkdf.py:34
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a9b99760479f3ce9 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/idea/generate_idea.py:18
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #365ae54b400992f3 Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/idea/generate_idea.py:50
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d571ec5dbd033f2c Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/idea/verify_idea.py:22
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a3c1c556e66ba24b Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/rsa-oaep-sha2/generate_rsa_oaep_sha2.py:98
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c242079cbbe6df1c Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/seed/generate_seed.py:18
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d355cebc1d03fc3e Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/seed/generate_seed.py:49
    with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #dfe060a18fc8975f Filesystem access.
pkgs/python/[email protected]/docs/development/custom-vectors/seed/verify_seed.py:20
    with open(filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b185d989f08ee15a Environment-variable access.
pkgs/python/[email protected]/noxfile.py:64
        rustflags = os.environ.get("RUSTFLAGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c32dd67984394123 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:239
    rustflags = os.environ.get("RUSTFLAGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #688d06ffa27794b5 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:291
    if "CARGO_INCREMENTAL" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d77e57d62e2eca0 Filesystem access.
pkgs/python/[email protected]/noxfile.py:406
        with open(f"{uuid.uuid4()}.lcov", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95638a746f358c72 Filesystem access.
pkgs/python/[email protected]/release.py:54
    content = p.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b00ea055259e924 Filesystem access.
pkgs/python/[email protected]/release.py:60
    p.write_text(new_content)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0ef2cbf06eb5805 Environment-variable access.
pkgs/python/[email protected]/src/_cffi_src/build_openssl.py:49
    out_dir = os.environ["OUT_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7db1d7782aaceff6 Environment-variable access.
pkgs/python/[email protected]/src/_cffi_src/openssl/x509v3.py:13
USE_CONST_X509 = bool(os.environ.get("USE_CONST_X509"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #282369e73d79a1f9 Filesystem access.
pkgs/python/[email protected]/src/_cffi_src/utils.py:16
with open(os.path.join(base_src, "cryptography", "__about__.py")) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00a672e5c942e0ce Environment-variable access.
pkgs/python/[email protected]/src/cryptography/hazmat/bindings/openssl/binding.py:114
    and os.environ.get("PROCESSOR_ARCHITEW6432") is not None

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ddgs

python dependency
expand_more 14 low-confidence finding(s)
low env_fs dependency Excluded from app score #6cbf0c7c50d4deba Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/api.py:41
    return DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21e71c1ed6692465 Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/mcp.py:45
        lambda: DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY"))).text(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e55a82a49a0c2f99 Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/mcp.py:94
        lambda: DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY"))).images(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e08601e9aa44868 Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/mcp.py:138
        lambda: DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY"))).news(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4a091ecd9a3d18f Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/mcp.py:183
        lambda: DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY"))).videos(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fde469e54919aa4 Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/mcp.py:219
        lambda: DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY"))).books(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1ed29664e0add9e Environment-variable access.
pkgs/python/[email protected]/ddgs/api_server/mcp.py:242
        lambda: DDGS(proxy=_expand_proxy_tb_alias(os.environ.get("DDGS_PROXY"))).extract(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c2c78b626748458 Environment-variable access.
pkgs/python/[email protected]/ddgs/cli.py:592
        os.environ["DDGS_PROXY"] = _expand_proxy_tb_alias(proxy) or proxy

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9db7ecfebc80e141 Filesystem access.
pkgs/python/[email protected]/ddgs/cli.py:627
        pid = int(_PID_FILE.read_text().strip())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cadc443e2125ce46 Environment-variable access.
pkgs/python/[email protected]/ddgs/cli.py:657
    proxy_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2fa163b054c20482 Filesystem access.
pkgs/python/[email protected]/ddgs/cli.py:687
        _PID_FILE.write_text(str(process.pid))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55ce917f4e2592c0 Environment-variable access.
pkgs/python/[email protected]/ddgs/cli.py:698
            os.environ["DDGS_PROXY"] = proxy_env["DDGS_PROXY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9889ad4bfee037dd Environment-variable access.
pkgs/python/[email protected]/ddgs/ddgs.py:156
        self._proxy = _expand_proxy_tb_alias(proxy) or os.environ.get("DDGS_PROXY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06efb9f7f8d01528 Environment-variable access.
pkgs/python/[email protected]/ddgs/ddgs.py:215
                    env = {**os.environ, "PATH": f"{venv_bin}{os.pathsep}{os.environ.get('PATH', '')}"}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

docker

python dependency
expand_more 22 low-confidence finding(s)
low env_fs dependency Excluded from app score #6a66a86627ec830d Filesystem access.
pkgs/python/[email protected]/docker/api/build.py:153
                with open(dockerignore) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7db7a67da8c0d047 Filesystem access.
pkgs/python/[email protected]/docker/api/build.py:370
        with open(abs_dockerfile) as df:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6ea9d76f54f452e Filesystem access.
pkgs/python/[email protected]/docker/api/image.py:141
            with open(src, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #873aee89ab85a829 Filesystem access.
pkgs/python/[email protected]/docker/auth.py:159
                with open(config_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bbd3bccbe6ea0b1 Filesystem access.
pkgs/python/[email protected]/docker/auth.py:356
        with open(config_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c04cdc70806ab17e Environment-variable access.
pkgs/python/[email protected]/docker/client.py:102
        environment = kwargs.get('environment') or os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f64c1d15739ab427 Filesystem access.
pkgs/python/[email protected]/docker/context/api.py:115
                            open(os.path.join(dirname, filename)))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3938e83af221286 Environment-variable access.
pkgs/python/[email protected]/docker/context/api.py:147
            environment = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16dd1291ca63a0da Filesystem access.
pkgs/python/[email protected]/docker/context/config.py:17
            with open(docker_cfg_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eddeb08622318f0a Filesystem access.
pkgs/python/[email protected]/docker/context/config.py:31
            with open(docker_cfg_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #649f0c6a6766aa10 Filesystem access.
pkgs/python/[email protected]/docker/context/config.py:43
        with open(docker_cfg_path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62b966c3475664c9 Filesystem access.
pkgs/python/[email protected]/docker/context/context.py:100
            with open(meta_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90282cc24f256da1 Filesystem access.
pkgs/python/[email protected]/docker/context/context.py:150
        with open(get_meta_file(self.name), "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2d5f80ef81f60a0 Environment-variable access.
pkgs/python/[email protected]/docker/credentials/utils.py:8
    result = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71aa3cf30fe9f0c6 Environment-variable access.
pkgs/python/[email protected]/docker/transport/sshconn.py:50
        env = dict(os.environ)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d9cad4bdc04eae1 Filesystem access.
pkgs/python/[email protected]/docker/transport/sshconn.py:197
            with open(ssh_config_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21da29c796a72852 Filesystem access.
pkgs/python/[email protected]/docker/utils/build.py:102
                with open(full_path, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b1a4424eead564b Environment-variable access.
pkgs/python/[email protected]/docker/utils/config.py:34
    config_dir = os.environ.get('DOCKER_CONFIG')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9dedefd647f681ab Environment-variable access.
pkgs/python/[email protected]/docker/utils/config.py:46
        return os.environ.get('USERPROFILE', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47be63f58a24666f Filesystem access.
pkgs/python/[email protected]/docker/utils/config.py:58
        with open(config_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c7625300c099389 Environment-variable access.
pkgs/python/[email protected]/docker/utils/utils.py:355
        environment = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1e60f3f3dc49b8d Filesystem access.
pkgs/python/[email protected]/docker/utils/utils.py:465
    with open(env_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

docx2txt

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #381a82c01e90071a Filesystem access.
pkgs/python/[email protected]/docx2txt/docx2txt.py:103
                with open(dst_fname, "wb") as dst_f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fake-useragent

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #a00e55d5c3977e41 Filesystem access.
pkgs/python/[email protected]/src/fake_useragent/utils.py:77
        for line in json_path.read_text().splitlines():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fastapi

python dependency
expand_more 54 low-confidence finding(s)
low env_fs dependency Excluded from app score #f9b1f5fca7b30b95 Filesystem access.
pkgs/python/[email protected]/docs_src/background_tasks/tutorial001_py310.py:7
    with open("log.txt", mode="w") as email_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf16674dbc78b434 Filesystem access.
pkgs/python/[email protected]/docs_src/background_tasks/tutorial002_an_py310.py:9
    with open("log.txt", mode="a") as log:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b133f49cd5ce74eb Filesystem access.
pkgs/python/[email protected]/docs_src/background_tasks/tutorial002_py310.py:7
    with open("log.txt", mode="a") as log:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60e5eec098c6645f Filesystem access.
pkgs/python/[email protected]/docs_src/custom_response/tutorial008_py310.py:11
        with open(some_file_path, mode="rb") as file_like:  # (2)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30bc010c08605954 Filesystem access.
pkgs/python/[email protected]/docs_src/events/tutorial002_py310.py:8
    with open("log.txt", mode="a") as log:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d278c927c8cab21 Filesystem access.
pkgs/python/[email protected]/docs_src/generate_clients/tutorial004_py310.py:5
openapi_content = json.loads(file_path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a66dd3987d4d8979 Filesystem access.
pkgs/python/[email protected]/docs_src/generate_clients/tutorial004_py310.py:15
file_path.write_text(json.dumps(openapi_content))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d233ec049bff1f1e Filesystem access.
pkgs/python/[email protected]/scripts/add_latest_release_date.py:12
    with open(RELEASE_NOTES_FILE) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0c5ff7b93a946c2d Filesystem access.
pkgs/python/[email protected]/scripts/add_latest_release_date.py:31
        with open(RELEASE_NOTES_FILE, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #dc553d8c35db3fe8 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/scripts/contributors.py:129
    response = httpx.post(
        github_graphql_url,
        headers=headers,
        timeout=settings.httpx_timeout,
        json={"query": query, "variables": variables, "operationName": "Q"},
    )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #df18fe6def920a85 Filesystem access.
pkgs/python/[email protected]/scripts/contributors.py:227
    old_content = content_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c7ed3d5e64064bdf Filesystem access.
pkgs/python/[email protected]/scripts/contributors.py:233
    content_path.write_text(new_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c77359834e416b5a Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:104
    return yaml.unsafe_load(en_config_path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c811248b37c6a1de Environment-variable access.
pkgs/python/[email protected]/scripts/docs.py:128
    os.environ["DYLD_FALLBACK_LIBRARY_PATH"] = "/opt/homebrew/lib"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5877336e536da54b Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:142
    new_llm_prompt_path.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aff983b97923e846 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:222
    missing_translation = (docs_path / "missing-translation.md").read_text(
        encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #db7c0e283189d299 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:228
    translation_banner = translation_banner_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3a3a7c80f989287b Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:235
                markdown = translated_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #fc4bc557e28c38fe Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:237
                    staged_file.write_text(markdown, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0cc8685660bf20bf Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:241
                staged_file.write_text(
                    add_markdown_notice(markdown, banner), encoding="utf-8"
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #756c4caaf563b493 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:245
                markdown = staged_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e638f115b9863c82 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:246
                staged_file.write_text(
                    add_markdown_notice(markdown, missing_translation),
                    encoding="utf-8",
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aaa7a5c0096023a9 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:275
    config_path.write_text(
        yaml.dump(config, sort_keys=False, width=200, allow_unicode=True),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #70f17caeaf31af17 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:293
    config = yaml.unsafe_load(config_path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5f1cf62d5c0002dd Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:343
    content = en_index.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bcc2819e9394b784 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:349
    sponsors = yaml.safe_load(sponsors_data_path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #8fec1a261f52c474 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:378
    old_content = readme_path.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e71630369155ef54 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:383
        readme_path.write_text(new_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a1278d5555e65398 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:424
        en_config_path.write_text(
            yaml.dump(updated_config, sort_keys=False, width=200, allow_unicode=True),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d1790e0f5b47a4b7 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:481
        language_names_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #2ed12706116cef4b Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:552
    base_content = file_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #00da6c8004a5222a Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:600
        version_file.write_text(content_format, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aea13be6e7c8fd5e Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:656
        content = md_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bcb8ff90ae99c72e Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:663
            md_file.write_text(new_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aa76f734c157b663 Filesystem access.
pkgs/python/[email protected]/scripts/docs.py:678
        all_docs_content += md_file.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #d5dc846f5968a9ba Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/scripts/notify_translations.py:218
    response = httpx.post(
        github_graphql_url,
        headers=headers,
        timeout=settings.httpx_timeout,
        json={"query": query, "variables": variables, "operationName": "Q"},
    )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #261c68566c0e60d4 Filesystem access.
pkgs/python/[email protected]/scripts/notify_translations.py:319
    contents = settings.github_event_path.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #415d1d5796ce2449 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/scripts/people.py:202
    response = httpx.post(
        github_graphql_url,
        headers=headers,
        timeout=settings.httpx_timeout,
        json={"query": query, "variables": variables, "operationName": "Q"},
    )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #ffa7a9c15a150496 Filesystem access.
pkgs/python/[email protected]/scripts/people.py:384
    old_content = content_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #73d199e87a1a4b32 Filesystem access.
pkgs/python/[email protected]/scripts/people.py:390
    content_path.write_text(new_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #346508e2126dc570 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/scripts/sponsors.py:100
    response = httpx.post(
        github_graphql_url,
        headers=headers,
        timeout=settings.httpx_timeout,
        json={"query": query, "variables": variables, "operationName": "Q"},
    )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #a445efe22c4c6e84 Filesystem access.
pkgs/python/[email protected]/scripts/sponsors.py:148
    old_content = content_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ae0f55034887b7de Filesystem access.
pkgs/python/[email protected]/scripts/sponsors.py:154
    content_path.write_text(new_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #31e8ceda8a0ef292 Filesystem access.
pkgs/python/[email protected]/scripts/topic_repos.py:52
    repos_old_content = repos_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c2217868a3b2d6b4 Filesystem access.
pkgs/python/[email protected]/scripts/topic_repos.py:57
    repos_path.write_text(new_repos_content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #8a7b0b1df4e6e1d0 Filesystem access.
pkgs/python/[email protected]/scripts/translate.py:31
general_prompt = general_prompt_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9a74b46288c19bc6 Filesystem access.
pkgs/python/[email protected]/scripts/translate.py:38
    return yaml.safe_load(Path("docs/language_names.yml").read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #11d7210df0ef6864 Filesystem access.
pkgs/python/[email protected]/scripts/translate.py:121
    lang_prompt_content = lang_prompt_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #587108d4e450251f Filesystem access.
pkgs/python/[email protected]/scripts/translate.py:129
    original_content = en_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #83dca032c7901096 Filesystem access.
pkgs/python/[email protected]/scripts/translate.py:133
        old_translation = out_path.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #618fc530789b5a1e Filesystem access.
pkgs/python/[email protected]/scripts/translate.py:178
    out_path.write_text(out_content, encoding="utf-8", newline="\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #180d2cbbdf992e32 Filesystem access.
pkgs/python/[email protected]/scripts/translation_fixer.py:81
        doc_lines = path.read_text(encoding="utf-8").splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d7f09db6a0105856 Filesystem access.
pkgs/python/[email protected]/scripts/translation_fixer.py:82
        en_doc_lines = en_doc_path.read_text(encoding="utf-8").splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f21adc62a5c671bc Filesystem access.
pkgs/python/[email protected]/scripts/translation_fixer.py:94
        path.write_text("\n".join(doc_lines), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

fpdf2

python dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #ef4dfe8f3c1bf0a9 Filesystem access.
pkgs/python/[email protected]/fpdf/fpdf.py:5722
        with open(pkcs_filepath, "rb") as pkcs_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcbc6503de36eb08 Filesystem access.
pkgs/python/[email protected]/fpdf/image_parsing.py:228
    with open(filename, "rb") as local_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7c7a956271be526 Filesystem access.
pkgs/python/[email protected]/fpdf/svg.py:856
        with open(filename, "r", encoding=encoding) as svgfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d84fcd31e806b64 Filesystem access.
pkgs/python/[email protected]/fpdf/template.py:186
        with open(infile, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf02182d932609fd Filesystem access.
pkgs/python/[email protected]/fpdf/template.py:257
        with open(infile, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d3572a312314d58 Filesystem access.
pkgs/python/[email protected]/fpdf/util.py:214
    return (resources.files(pkg) / "sRGB2014.icc").read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ftfy

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #c598bf96ce2443a2 Filesystem access.
pkgs/python/[email protected]/ftfy/cli.py:104
        file = open(args.filename, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #600623221c79640c Filesystem access.
pkgs/python/[email protected]/ftfy/cli.py:112
        outfile = open(args.output, "w", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

gcp-storage-emulator

python dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #64e8d66bc0ed4a90 Filesystem access.
pkgs/python/[email protected]/setup.py:9
LONG_DESCRIPTION = open(os.path.join(os.path.dirname(__file__), "README.md")).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3487f4766a43cdf7 Environment-variable access.
pkgs/python/[email protected]/setup.py:13
GITHUB_REF = os.environ.get("GITHUB_REF")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f70ab8ede7b38ab Environment-variable access.
pkgs/python/[email protected]/src/gcp_storage_emulator/__main__.py:13
DEFAULT_PORT = int(os.environ.get("PORT", 9023))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1742b377180170ca Environment-variable access.
pkgs/python/[email protected]/src/gcp_storage_emulator/__main__.py:14
DEFAULT_HOST = os.environ.get("HOST", "localhost")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21588fe945d876c5 Environment-variable access.
pkgs/python/[email protected]/src/gcp_storage_emulator/settings.py:9
STORAGE_BASE = os.path.abspath(os.environ.get("STORAGE_BASE", "./"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0caa6fb459fd52d8 Environment-variable access.
pkgs/python/[email protected]/src/gcp_storage_emulator/settings.py:10
STORAGE_DIR = os.environ.get("STORAGE_DIR", ".cloudstorage")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

google-api-python-client

python dependency
expand_more 12 low-confidence finding(s)
low env_fs dependency Excluded from app score #c884f0c3762b187d Environment-variable access.
pkgs/python/[email protected]/googleapiclient/discovery.py:430
    if "REMOTE_ADDR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #320ec52047b05dab Environment-variable access.
pkgs/python/[email protected]/googleapiclient/discovery.py:431
        actual_url = _add_query_parameter(url, "userIp", os.environ["REMOTE_ADDR"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4b6ebac201ef91d4 Environment-variable access.
pkgs/python/[email protected]/googleapiclient/discovery.py:573
        universe_domain_env = os.getenv(GOOGLE_CLOUD_UNIVERSE_DOMAIN, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b14b99fbad5a389 Environment-variable access.
pkgs/python/[email protected]/googleapiclient/discovery.py:656
            use_client_cert_str = os.getenv(
                "GOOGLE_API_USE_CLIENT_CERTIFICATE", "false"
            ).lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa783541cbf7e5bc Environment-variable access.
pkgs/python/[email protected]/googleapiclient/discovery.py:703
            use_mtls_endpoint = os.getenv(GOOGLE_API_USE_MTLS_ENDPOINT, "auto")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5f594c766c415f71 Environment-variable access.
pkgs/python/[email protected]/googleapiclient/discovery_cache/__init__.py:37
    if "GAE_ENV" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89a20d0646cd6a13 Filesystem access.
pkgs/python/[email protected]/googleapiclient/discovery_cache/__init__.py:72
        with open(os.path.join(DISCOVERY_DOC_DIR, doc_name), "r") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #424839918bfa3795 Filesystem access.
pkgs/python/[email protected]/googleapiclient/http.py:594
        self._fd = open(self._filename, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aadc3135d6ce149b Filesystem access.
pkgs/python/[email protected]/googleapiclient/http.py:1735
            with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3e4df34a20ddd2ed Filesystem access.
pkgs/python/[email protected]/googleapiclient/sample_tools.py:104
        with open(discovery_filename) as discovery_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ec397d127864a31 Filesystem access.
pkgs/python/[email protected]/setup.py:52
with io.open(readme_filename, encoding="utf-8") as readme_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #53e01d3641f40b05 Filesystem access.
pkgs/python/[email protected]/setup.py:58
with open(os.path.join(package_root, "googleapiclient/version.py")) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

google-auth-httplib2

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #bbf3605dfc3fd104 Filesystem access.
pkgs/python/[email protected]/setup.py:26
with io.open("README.rst", "r") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

google-auth-oauthlib

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #a4f821d678589fe0 Filesystem access.
pkgs/python/[email protected]/google_auth_oauthlib/flow.py:198
        with open(client_secrets_file, "r") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92ef4f8f854c66c9 Filesystem access.
pkgs/python/[email protected]/google_auth_oauthlib/helpers.py:94
    with open(client_secrets_file, "r") as json_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efac974bcdda1bf1 Filesystem access.
pkgs/python/[email protected]/google_auth_oauthlib/tool/__main__.py:112
        with open(credentials, "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00990ed067ae4f04 Filesystem access.
pkgs/python/[email protected]/setup.py:29
with io.open("README.rst", "r") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

google-genai

python dependency
expand_more 43 low-confidence finding(s)
low env_fs dependency Excluded from app score #4e61f991c55d0ff1 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:102
  env_google_api_key = os.environ.get('GOOGLE_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a1ea65305c99f16 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:103
  env_gemini_api_key = os.environ.get('GEMINI_API_KEY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c32bd091e732c0e9 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:188
  os.environ['GOOGLE_API_PREVENT_AGENT_TOKEN_SHARING_FOR_GCP_SERVICES'] = (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0ac9229f7d6f0735 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:566
      if os.environ.get('GOOGLE_GENAI_USE_VERTEXAI', '0').lower() in [

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bca3c6282264190 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:603
    env_project = os.environ.get('GOOGLE_CLOUD_PROJECT', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd28bb14f0b27949 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:604
    env_location = os.environ.get('GOOGLE_CLOUD_LOCATION', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cdb239d918110785 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:839
          cafile=os.environ.get('SSL_CERT_FILE', certifi.where()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2e907ece094a46a Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:840
          capath=os.environ.get('SSL_CERT_DIR'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d05d4db05d3149a0 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:896
          cafile=os.environ.get('SSL_CERT_FILE', certifi.where()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2bc1bb16e8d1e4d Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:897
          capath=os.environ.get('SSL_CERT_DIR'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #09375344d7d75c59 Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:954
          cafile=os.environ.get('SSL_CERT_FILE', certifi.where()),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3ff2f06b7bb5f4d Environment-variable access.
pkgs/python/[email protected]/google/genai/_api_client.py:955
          capath=os.environ.get('SSL_CERT_DIR'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a496940767995977 Filesystem access.
pkgs/python/[email protected]/google/genai/_api_client.py:1513
      with open(file_path, 'rb') as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41ecb16026752db7 Environment-variable access.
pkgs/python/[email protected]/google/genai/_base_url.py:48
    return _default_base_vertex_url or os.getenv('GOOGLE_VERTEX_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8cf8678fdffc007 Environment-variable access.
pkgs/python/[email protected]/google/genai/_base_url.py:50
    return _default_base_gemini_url or os.getenv('GOOGLE_GEMINI_BASE_URL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b4f85554529e2ec1 Environment-variable access.
pkgs/python/[email protected]/google/genai/_interactions/_client.py:103
            api_key = os.environ.get("GEMINI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9dcbe4eef1e1a600 Environment-variable access.
pkgs/python/[email protected]/google/genai/_interactions/_client.py:111
            base_url = os.environ.get("GEMINI_NEXT_GEN_API_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef99a955aab8e06d Environment-variable access.
pkgs/python/[email protected]/google/genai/_interactions/_client.py:324
            api_key = os.environ.get("GEMINI_API_KEY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a93b15b2664492ad Environment-variable access.
pkgs/python/[email protected]/google/genai/_interactions/_client.py:332
            base_url = os.environ.get("GEMINI_NEXT_GEN_API_BASE_URL")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af122e47b9f40de6 Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_files.py:83
            return (path.name, path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3faf7369befa1ad3 Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_files.py:95
        return pathlib.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d90e0a8d2f3d930c Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_files.py:125
            return (path.name, await path.read_bytes())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b426505a418cffbb Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_files.py:137
        return await anyio.Path(file).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1184765ab2f049a Environment-variable access.
pkgs/python/[email protected]/google/genai/_interactions/_models.py:126
            extra="allow", defer_build=coerce_boolean(os.environ.get("DEFER_PYDANTIC_BUILD", "true"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26598f45a84d8c9b Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_response.py:512
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be3cf17992f8f5bb Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_response.py:554
        with open(file, mode="wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #075ec8ec879280e0 Environment-variable access.
pkgs/python/[email protected]/google/genai/_interactions/_utils/_logs.py:32
    env = os.environ.get("GEMINI_NEXT_GEN_API_LOG")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6423fcbb02739727 Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_utils/_transform.py:263
            binary = data.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46eb985e696a5398 Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_utils/_transform.py:429
            binary = await anyio.Path(data).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbf57ec07e4bf381 Filesystem access.
pkgs/python/[email protected]/google/genai/_interactions/_utils/_utils.py:383
    contents = Path(path).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f8232d63ed2876c Filesystem access.
pkgs/python/[email protected]/google/genai/_local_tokenizer_loader.py:105
  with open(file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30f218188d798bf9 Filesystem access.
pkgs/python/[email protected]/google/genai/_local_tokenizer_loader.py:122
    with open(tmp_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b2ccc35a5ae20ba9 Environment-variable access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:198
      os.environ.get('PYTEST_CURRENT_TEST'),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b7275ec5f308dcc Environment-variable access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:290
      self.replays_directory = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6b2acf65e5437de Environment-variable access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:290
      self.replays_directory = os.environ.get(
          'GOOGLE_GENAI_REPLAYS_DIRECTORY', None
      )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8afd186651623ca8 Filesystem access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:334
      with open(replay_file_path, 'r') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5847269a11d7b7b6 Filesystem access.
pkgs/python/[email protected]/google/genai/_replay_api_client.py:361
    with open(replay_file_path, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f81cd4d9ae002f30 Environment-variable access.
pkgs/python/[email protected]/google/genai/client.py:299
      default_factory=lambda: os.getenv('GOOGLE_GENAI_CLIENT_MODE', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b439b8fe04bd32cc Environment-variable access.
pkgs/python/[email protected]/google/genai/client.py:303
      default_factory=lambda: os.getenv('GOOGLE_GENAI_REPLAYS_DIRECTORY', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51b8065f2426d762 Environment-variable access.
pkgs/python/[email protected]/google/genai/client.py:307
      default_factory=lambda: os.getenv('GOOGLE_GENAI_REPLAY_ID', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9478ef7b495070a9 Filesystem access.
pkgs/python/[email protected]/google/genai/types.py:8244
    image_bytes = pathlib.Path(location).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9879acd370bf4a76 Filesystem access.
pkgs/python/[email protected]/google/genai/types.py:10396
    video_bytes = pathlib.Path(location).read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cae7df983d6b0fbb Filesystem access.
pkgs/python/[email protected]/google/genai/types.py:19781
    with open(file_path, 'w', encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

httpx

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #e15607b7a174807e Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:34
        if trust_env and os.environ.get("SSL_CERT_FILE"):  # pragma: nocover

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f301ad12c65d4a9b Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:35
            ctx = ssl.create_default_context(cafile=os.environ["SSL_CERT_FILE"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8905343f1241b7b Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:36
        elif trust_env and os.environ.get("SSL_CERT_DIR"):  # pragma: nocover

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f940cdd43d646874 Environment-variable access.
pkgs/python/[email protected]/httpx/_config.py:37
            ctx = ssl.create_default_context(capath=os.environ["SSL_CERT_DIR"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

katex

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #e11cd8ad109f2a86 Filesystem access.
pkgs/python/[email protected]/src/metrics/parse_tfm.py:134
    with open(file_name, 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

langchain

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #207dae21f62ed686 Environment-variable access.
pkgs/python/[email protected]/langchain/agents/middleware/_execution.py:322
        host_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cc0aa0612fb1b0e Filesystem access.
pkgs/python/[email protected]/langchain/agents/middleware/file_search.py:341
                content = file_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #60a9050553de073b Filesystem access.
pkgs/python/[email protected]/scripts/check_version.py:15
    content = pyproject_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #977dc3885587c853 Filesystem access.
pkgs/python/[email protected]/scripts/check_version.py:22
    content = init_path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

langchain-classic

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #403c491d19b7869c Filesystem access.
pkgs/python/[email protected]/langchain_classic/storage/file_system.py:118
                value = full_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

langchain-text-splitters

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #1358b53e13bf41d3 Filesystem access.
pkgs/python/[email protected]/langchain_text_splitters/html.py:240
            html_content = pathlib.Path(file).read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

ldap3

python dependency
expand_more 7 low-confidence finding(s)
low env_fs dependency Excluded from app score #82e143a4fbe1651c Filesystem access.
pkgs/python/[email protected]/ldap3/core/connection.py:1518
                    target = open(target, 'w+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c5d6678e5fe5f79 Filesystem access.
pkgs/python/[email protected]/ldap3/protocol/rfc4512.py:154
            target = open(target, 'r')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0dab03b98564bfd Filesystem access.
pkgs/python/[email protected]/ldap3/protocol/rfc4512.py:165
            target = open(target, 'w+')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08f834dac7357bdd Filesystem access.
pkgs/python/[email protected]/ldap3/strategy/mockBase.py:263
        target = open(json_entry_file, 'r')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03e486d48274a2ac Filesystem access.
pkgs/python/[email protected]/setup.py:33
version_dict = load(open('_version.json', 'r'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b5fd38c2d9889ac Filesystem access.
pkgs/python/[email protected]/setup.py:44
long_description = str(open('README.rst').read())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2681c643b5489495 Filesystem access.
pkgs/python/[email protected]/setup.py:87
      install_requires=[i.strip() for i in open('requirements.txt').readlines()],

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

loguru

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #74f0e07103260e31 Environment-variable access.
pkgs/python/[email protected]/loguru/_colorama.py:25
        if "CI" in os.environ and any(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c5bb6d25236a47 Environment-variable access.
pkgs/python/[email protected]/loguru/_colorama.py:26
            ci in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #447f1174b4983a95 Environment-variable access.
pkgs/python/[email protected]/loguru/_colorama.py:30
        if "PYCHARM_HOSTED" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50829ed60b1b3beb Environment-variable access.
pkgs/python/[email protected]/loguru/_colorama.py:32
        if os.name == "nt" and "TERM" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #207f9f98057efb12 Environment-variable access.
pkgs/python/[email protected]/loguru/_defaults.py:5
    if key not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4ffddc88eac64d1 Environment-variable access.
pkgs/python/[email protected]/loguru/_defaults.py:8
    val = environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6d71ac123ab4e5f Filesystem access.
pkgs/python/[email protected]/loguru/_file_sink.py:53
        with open(path_in, "rb") as f_in:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef6c45a17ac29283 Filesystem access.
pkgs/python/[email protected]/loguru/_file_sink.py:226
        self._file = open(path, **self._kwargs)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cb4ec8a7933f5491 Filesystem access.
pkgs/python/[email protected]/loguru/_logger.py:1868
                with open(str(file)) as fileobj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

mariadb

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #18da55c9f4961236 Environment-variable access.
pkgs/python/[email protected]/mariadb_posix.py:54
            config_prg = os.environ["MARIADB_CONFIG"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1851c152c73d914 Environment-variable access.
pkgs/python/[email protected]/mariadb_windows.py:31
            mariadb_dir = os.environ["MARIADB_CC_INSTALL_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93426c74f828d1b4 Filesystem access.
pkgs/python/[email protected]/mariadb_windows.py:80
    f = open("./include/config_win.h", "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c87d6451d9083a03 Filesystem access.
pkgs/python/[email protected]/setup.py:17
with open(path.join(this_directory, 'README.md'), encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a68bf155fe1113b Filesystem access.
pkgs/python/[email protected]/setup.py:74
with open("mariadb/release_info.py", "w") as rel_info:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

moto

python dependency
expand_more 93 low-confidence finding(s)
low env_fs dependency Excluded from app score #a2fc856fec0b7a4e Filesystem access.
pkgs/python/[email protected]/moto/awslambda/models.py:1250
        with open(cfnresponse.__file__) as cfn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2874a9e53b8f0bb2 Environment-variable access.
pkgs/python/[email protected]/moto/awslambda/models.py:2578
        quota: str | None = os.environ.get("MOTO_LAMBDA_CONCURRENCY_QUOTA")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0190483d9b2530a Environment-variable access.
pkgs/python/[email protected]/moto/awslambda/models.py:2677
    return os.environ.get("VALIDATE_LAMBDA_S3", "") in ["", "1", "true"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3af657604fd31836 Environment-variable access.
pkgs/python/[email protected]/moto/batch_simple/models.py:126
        should_batch_fail = getenv("MOTO_SIMPLE_BATCH_FAIL_AFTER")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aea2bc31a630c096 Filesystem access.
pkgs/python/[email protected]/moto/cloudformation/utils.py:74
        with open(filename, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a23b3a041c29928f Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:197
            self._orig_creds[k] = os.environ.get(k, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43c28652c5968111 Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:198
            os.environ[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #851703c822c32cb3 Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:203
                os.environ[k] = v

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40e66f0039691098 Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:205
                del os.environ[k]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1fe4d6aa33a8b094 Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:345
        call_reset_api = os.environ.get("MOTO_CALL_RESET_API")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6e93636edd344cd Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:411
        call_reset_api = os.environ.get("MOTO_CALL_RESET_API")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b91c672f768dd10c Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:431
                f"http://localhost:{os.environ.get('MOTO_PROXY_PORT', 5005)}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bce974b987eb3163 Environment-variable access.
pkgs/python/[email protected]/moto/core/models.py:445
                f"http://localhost:{os.environ.get('MOTO_PROXY_PORT', 5005)}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e2c6f6cee064c6a Environment-variable access.
pkgs/python/[email protected]/moto/core/responses.py:378
        if "MOTO_ACCOUNT_ID" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19d83210f18f01ef Environment-variable access.
pkgs/python/[email protected]/moto/core/responses.py:379
            return os.environ["MOTO_ACCOUNT_ID"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11b7ee64c24250d9 Environment-variable access.
pkgs/python/[email protected]/moto/ec2/models/amis.py:29
if "MOTO_AMIS_PATH" in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e207bc928f00a73 Filesystem access.
pkgs/python/[email protected]/moto/ec2/models/amis.py:30
    with open(environ["MOTO_AMIS_PATH"], encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #131cfdc22c4371e5 Environment-variable access.
pkgs/python/[email protected]/moto/ec2/models/amis.py:30
    with open(environ["MOTO_AMIS_PATH"], encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84a0e95a0265f7f0 Environment-variable access.
pkgs/python/[email protected]/moto/ec2/models/amis.py:188
        if "MOTO_AMIS_PATH" not in os.environ and not settings.ec2_load_default_amis():

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d75a320625b9e55a Environment-variable access.
pkgs/python/[email protected]/moto/ec2/models/amis.py:198
        if "MOTO_AMIS_PATH" not in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b48e714e5fd3de5 Environment-variable access.
pkgs/python/[email protected]/moto/ecs/models.py:513
            ecs_running_count = max(int(getenv("MOTO_ECS_SERVICE_RUNNING", 0)), 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45dec20fcbe647be Environment-variable access.
pkgs/python/[email protected]/moto/ecs/models.py:519
            ecs_failed_count = max(int(getenv("MOTO_ECS_SERVICE_FAILED_TASKS", 0)), 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #569b2f091aa4c92d Environment-variable access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:14
        self._location = str(os.environ.get("MOTO_RECORDER_FILEPATH", "moto_recording"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b633ff8deed3977 Environment-variable access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:15
        self._os_enabled = bool(os.environ.get("MOTO_ENABLE_RECORDING", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7ba23879cb45970 Filesystem access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:60
        with open(filepath, "a+") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b07ce584841ae3d8 Filesystem access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:81
        with open(filepath, "w"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c730116a9b54ebc Filesystem access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:100
        with open(filepath, "bw") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9f476a443928c90 Filesystem access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:108
        with open(filepath) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54db6ede3805bdac Filesystem access.
pkgs/python/[email protected]/moto/moto_api/_internal/recorder/models.py:122
        with open(filepath) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69b75527fbd65ff3 Filesystem access.
pkgs/python/[email protected]/moto/moto_proxy/certificate_creator.py:38
            with open(test_file_location, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #adc63592c2bff948 Filesystem access.
pkgs/python/[email protected]/moto/moto_proxy/certificate_creator.py:76
                with open(f"{self.certdir.rstrip('/')}/req.conf.tmpl") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe62bdb56e83ace6 Filesystem access.
pkgs/python/[email protected]/moto/moto_proxy/certificate_creator.py:85
                with open(config_template_name, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a770919af40b9c6 Environment-variable access.
pkgs/python/[email protected]/moto/proxy.py:59
        default=int(os.environ.get("MOTO_PROXY_PORT", 5005)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f0feb0b68da97757 Environment-variable access.
pkgs/python/[email protected]/moto/proxy.py:75
    if "MOTO_PORT" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b786b4cad3e4ab3 Environment-variable access.
pkgs/python/[email protected]/moto/proxy.py:76
        os.environ["MOTO_PORT"] = f"{args.port}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e47bbb333dcb7458 Environment-variable access.
pkgs/python/[email protected]/moto/proxy.py:77
    os.environ["TEST_PROXY_MODE"] = "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdee76c41caa4d8f Environment-variable access.
pkgs/python/[email protected]/moto/rds/models.py:141
        if len(new_attribute_values) > int(os.getenv("MAX_SHARED_ACCOUNTS", 20)):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7373a44cfc9cd45d Environment-variable access.
pkgs/python/[email protected]/moto/rds/models.py:2331
        return int(os.environ.get("MOTO_RDS_SNAPSHOT_LIMIT", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #035b69e4a7544e70 Environment-variable access.
pkgs/python/[email protected]/moto/rds/models.py:4059
        if len(self.db_proxies) >= int(os.environ.get("MOTO_RDS_PROXY_LIMIT", "100")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd66ce3259c35d09 Environment-variable access.
pkgs/python/[email protected]/moto/server.py:35
        default=int(os.environ.get("MOTO_PORT", 5000)),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b50c88186e0a4b3 Environment-variable access.
pkgs/python/[email protected]/moto/server.py:60
    if "MOTO_PORT" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76d082eee4cd25e1 Environment-variable access.
pkgs/python/[email protected]/moto/server.py:61
        os.environ["MOTO_PORT"] = f"{args.port}"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b00821b3c9ec0c1e Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:10
    return os.environ.get("TEST_PROXY_MODE", "0").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32fce6d66a9d8c03 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:13
TEST_SERVER_MODE = os.environ.get("TEST_SERVER_MODE", "0").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20bbaa5c1005da9e Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:17
    os.environ.get("INITIAL_NO_AUTH_ACTION_COUNT", float("inf"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88f7dc96af73048f Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:19
DEFAULT_CONTAINER_REGISTRY = os.environ.get("DEFAULT_CONTAINER_REGISTRY", "docker.io")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b6b90b02cb9778db Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:21
S3_IGNORE_SUBDOMAIN_BUCKETNAME = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a4f741469c9638c Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:21
S3_IGNORE_SUBDOMAIN_BUCKETNAME = os.environ.get(
    "S3_IGNORE_SUBDOMAIN_BUCKETNAME", ""
) in ["1", "true"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c900ffa763380acd Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:26
ACM_VALIDATION_WAIT = int(os.environ.get("MOTO_ACM_VALIDATION_WAIT", "60"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #df08bfb5fb261013 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:29
    os.environ.get("MOTO_EC2_ENABLE_INSTANCE_TYPE_VALIDATION", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #603771e35beef74e Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:33
    os.environ.get("MOTO_ENABLE_KEYPAIR_VALIDATION", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2eb6c3c1f393a060 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:36
ENABLE_AMI_VALIDATION = bool(os.environ.get("MOTO_ENABLE_AMI_VALIDATION", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb22719e93351be3 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:39
    os.environ.get("MOTO_MAX_FORM_MEMORY_SIZE", 1024 * 1024 * 50)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83e9e57bf7c3389a Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:42
PRETTIFY_RESPONSES = bool(os.environ.get("MOTO_PRETTIFY_RESPONSES", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54ba46570e21d34d Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:44
DISABLE_GLOBAL_CORS = bool(os.environ.get("MOTO_DISABLE_GLOBAL_CORS", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60a34647dff6ccd2 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:47
SKIP_REQUIRES_DOCKER = bool(os.environ.get("TESTS_SKIP_REQUIRES_DOCKER", False))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c62d3ecf6911d62f Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:49
LAMBDA_DATA_DIR = os.environ.get("MOTO_LAMBDA_DATA_DIR", "/tmp/data")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f28cadf1e522ce31 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:58
    return os.environ.get("SF_EXECUTION_HISTORY_TYPE", "SUCCESS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16ba285a8f36777d Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:62
    endpoints = os.environ.get("MOTO_S3_CUSTOM_ENDPOINTS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ddd0314b5fa6602f Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:68
S3_UPLOAD_PART_MIN_SIZE = int(os.environ.get("S3_UPLOAD_PART_MIN_SIZE", "5242880"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #70d288b679f32edf Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:73
        os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3635caffc6ef6851 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:73
        os.environ.get(
            "MOTO_S3_DEFAULT_KEY_BUFFER_SIZE", S3_UPLOAD_PART_MIN_SIZE - 1024
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a89e0e14de55d861 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:80
    return int(os.environ.get("MOTO_S3_DEFAULT_MAX_KEYS", 1000))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe851a60e47274ee Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:84
    return os.environ.get("MOTO_S3_ALLOW_CROSSACCOUNT_ACCESS", "true").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a17f8e4e482222a Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:89
    return os.environ.get("MOTO_EC2_LOAD_DEFAULT_AMIS", "true").lower() != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #134b57b533e6147a Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:94
    return os.environ.get("MOTO_ECS_NEW_ARN", "true").lower() != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1b64a1563a944a9 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:98
    return os.environ.get("MOTO_EVENTS_INVOKE_HTTP", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f13e79b3e3a0e69c Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:102
    return os.environ.get("MOTO_ALLOW_NONEXISTENT_REGION", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f018e5a3a85f059a Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:109
    return os.environ.get("MOTO_LAMBDA_STUB_ECR", "TRUE").lower() != "false"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a09e4cb668bd34bc Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:113
    return os.environ.get("MOTO_PORT") or "5000"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #66c84986d90dee3b Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:117
    return os.environ.get("MOTO_PROXY_PORT") or "5005"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad01899ace5607b3 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:129
    return os.environ.get("MOTO_DOCKER_LAMBDA_IMAGE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d3822ce30d8f1234 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:133
    return os.environ.get("MOTO_DOCKER_NETWORK_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2d825c26fcee5b8 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:137
    return os.environ.get("MOTO_DOCKER_NETWORK_MODE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #415ff8ea72c9a108 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:141
    return os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75ddaef440a867ae Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:141
    return os.environ.get(
        "TEST_SERVER_MODE_ENDPOINT", f"http://localhost:{moto_server_port()}"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2570b6ab1ad055e7 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:147
    return os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1ee3e8f07a3d3340 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:147
    return os.environ.get(
        "TEST_PROXY_MODE_ENDPOINT", f"http://localhost:{moto_proxy_port()}"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #579af9e3be4194eb Filesystem access.
pkgs/python/[email protected]/moto/settings.py:157
        and any("docker" in line for line in path.read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3ead6c871c3580c Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:185
    return os.environ.get("MOTO_COGNITO_IDP_USER_POOL_ID_STRATEGY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0aa8751e96beacf Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:189
    return os.environ.get("MOTO_COGNITO_IDP_USER_POOL_CLIENT_ID_STRATEGY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #325fd71de6734838 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:194
        os.environ.get("MOTO_COGNITO_IDP_USER_POOL_ENABLE_TOTP", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1474da676c690871 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:200
    return os.environ.get("MOTO_ENABLE_ISO_REGIONS", "false").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ed858d1c517b520 Environment-variable access.
pkgs/python/[email protected]/moto/settings.py:207
        or os.environ.get("MOTO_IAM_LOAD_MANAGED_POLICIES", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3da77dc9babf8e1d Filesystem access.
pkgs/python/[email protected]/moto/utilities/utils.py:62
    return resource_path.read_text(encoding="utf-8").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c99d0851460cd27 Filesystem access.
pkgs/python/[email protected]/moto/utilities/utils.py:67
    return resource_path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5e2c6024ef75211 Environment-variable access.
pkgs/python/[email protected]/moto/xray/mock_client.py:17
        address = os.getenv(
            "AWS_XRAY_DAEMON_ADDRESS_YEAH_NOT_TODAY_MATE", daemon_address
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b43de0b450deff4 Environment-variable access.
pkgs/python/[email protected]/moto/xray/mock_client.py:63
        self.old_xray_context_var = os.environ.get("AWS_XRAY_CONTEXT_MISSING")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dac64f43b5e12fb0 Environment-variable access.
pkgs/python/[email protected]/moto/xray/mock_client.py:64
        os.environ["AWS_XRAY_CONTEXT_MISSING"] = "LOG_ERROR"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d9792f422189f965 Environment-variable access.
pkgs/python/[email protected]/moto/xray/mock_client.py:72
            del os.environ["AWS_XRAY_CONTEXT_MISSING"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28678a5add38c6f2 Environment-variable access.
pkgs/python/[email protected]/moto/xray/mock_client.py:74
            os.environ["AWS_XRAY_CONTEXT_MISSING"] = self.old_xray_context_var

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00d0dcc228abdd53 Filesystem access.
pkgs/python/[email protected]/setup.py:26
                with open(file, "rb") as source:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e519528dd427ab1 Filesystem access.
pkgs/python/[email protected]/setup.py:27
                    with open(target_filename, "wb") as target:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

nltk

python dependency
expand_more 95 low-confidence finding(s)
low env_fs dependency Excluded from app score #cf8ae98856a3142d Filesystem access.
pkgs/python/[email protected]/nltk/__init__.py:33
    with open(version_file) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6631e87939c5049e Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:798
            with open(filename, "wb") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4958cc5183e9b49d Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:815
        with open(filename, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #51b24e7f52e9f1f3 Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:2272
            with open(filename, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0467999403791ed5 Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:2295
            with open(filename, "wb") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1693a742a8ed002a Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:2310
                with open(filename, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c674be2c8493e5ec Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:2313
                with open(filename) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c8310071b49e052 Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:2327
                with open(filename, "wb") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #592ed0a97f091502 Filesystem access.
pkgs/python/[email protected]/nltk/app/chartparser_app.py:2330
                with open(filename, "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f59b49c8f964824a Filesystem access.
pkgs/python/[email protected]/nltk/app/chunkparser_app.py:1394
        with open(filename, "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3f9b20912f1d0a5c Filesystem access.
pkgs/python/[email protected]/nltk/app/chunkparser_app.py:1415
        with open(filename) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e763db48b0ca2e3 Filesystem access.
pkgs/python/[email protected]/nltk/app/chunkparser_app.py:1430
        with open(filename, "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3e7476199febf00 Filesystem access.
pkgs/python/[email protected]/nltk/app/wordnet_app.py:110
                    with open(usp) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c7d32d0725c68d36 Filesystem access.
pkgs/python/[email protected]/nltk/app/wordnet_app.py:224
            logfile = open(logfilename, "a", 1)  # 1 means 'line buffering'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ced0acf46ed49424 Filesystem access.
pkgs/python/[email protected]/nltk/chunk/named_entity.py:235
    with open(annfile) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f98bc9170bb2c7c Filesystem access.
pkgs/python/[email protected]/nltk/chunk/named_entity.py:247
    with open(textfile) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0020c5957f8202d4 Filesystem access.
pkgs/python/[email protected]/nltk/classify/maxent.py:1440
        with open(trainfile_name, "w") as trainfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #96885a8d836f39c8 Filesystem access.
pkgs/python/[email protected]/nltk/classify/maxent.py:1542
        with open(weightfile_name) as weightfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a2c2297d75ec568e Filesystem access.
pkgs/python/[email protected]/nltk/classify/maxent.py:1596
    with open(f"{tab_dir}/weights.txt", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f915787b24e1c753 Filesystem access.
pkgs/python/[email protected]/nltk/classify/maxent.py:1598
    with open(f"{tab_dir}/mapping.tab", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f09f2c5810a6ba42 Filesystem access.
pkgs/python/[email protected]/nltk/classify/maxent.py:1600
    with open(f"{tab_dir}/labels.txt", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4dc580bbe510f095 Filesystem access.
pkgs/python/[email protected]/nltk/classify/maxent.py:1602
    with open(f"{tab_dir}/alwayson.tab", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a178ea012304dab Environment-variable access.
pkgs/python/[email protected]/nltk/classify/senna.py:59
            if "SENNA" in environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76823d7c17c759a7 Environment-variable access.
pkgs/python/[email protected]/nltk/classify/senna.py:61
                self._path = path.normpath(environ["SENNA"]) + sep

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bc8099852534a73 Environment-variable access.
pkgs/python/[email protected]/nltk/classify/weka.py:45
        if "WEKAHOME" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #563f83b7b5c4d84f Environment-variable access.
pkgs/python/[email protected]/nltk/classify/weka.py:46
            searchpath.insert(0, os.environ["WEKAHOME"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b764294c39b81900 Filesystem access.
pkgs/python/[email protected]/nltk/classify/weka.py:277
            outfile = open(outfile, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b38692653a507180 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/crubadan.py:78
        with open(mapper_file, encoding="utf-8") as raw:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7106693f246bae3 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/crubadan.py:97
        with open(ngram_file, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7bc9fc2f8691dad Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/ipipan.py:191
        with open(f) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92fcd821c0353c14 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/lin.py:43
            with open(path) as lin_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c6aac6fabcdb714 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/nkjp.py:256
            fr = open(self.read_file)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c7f653e99ce30b8 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/pl196x.py:110
            with open(self._textids) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #16f58d6cf112e5d0 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/util.py:212
                open(self._fileid, "rb"), self._encoding

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b96419cbe912120e Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/util.py:215
            self._stream = open(self._fileid, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #489ea265309428c3 Filesystem access.
pkgs/python/[email protected]/nltk/corpus/reader/xmldocs.py:161
            with open(fileid, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67c8ac69e4186275 Environment-variable access.
pkgs/python/[email protected]/nltk/data.py:94
_paths_from_env = os.environ.get("NLTK_DATA", "").split(os.pathsep)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2e31a4383cd7fa2 Environment-variable access.
pkgs/python/[email protected]/nltk/data.py:96
if "APPENGINE_RUNTIME" not in os.environ and os.path.expanduser("~/") != "~/":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfe089975870c9c6 Environment-variable access.
pkgs/python/[email protected]/nltk/data.py:105
        os.path.join(os.environ.get("APPDATA", "C:\\"), "nltk_data"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a63e1a204a84aef3 Filesystem access.
pkgs/python/[email protected]/nltk/data.py:769
    with open(filename, "wb") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18e3a2aed5925b16 Filesystem access.
pkgs/python/[email protected]/nltk/downloader.py:719
            with open(filepath, "wb") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8420ab4fbcaae82c Environment-variable access.
pkgs/python/[email protected]/nltk/downloader.py:1094
        if "APPENGINE_RUNTIME" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dc87e5d0da16bdd Environment-variable access.
pkgs/python/[email protected]/nltk/downloader.py:1104
        if sys.platform == "win32" and "APPDATA" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #648386a11d62888a Environment-variable access.
pkgs/python/[email protected]/nltk/downloader.py:1105
            homedir = os.environ["APPDATA"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #190c3efeef2c546b Environment-variable access.
pkgs/python/[email protected]/nltk/downloader.py:1140
            os.environ.get("NLTK_DOWNLOADER_FORCE_INTERACTIVE_SHELL", "false").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47e69d0eb2c75590 Filesystem access.
pkgs/python/[email protected]/nltk/downloader.py:2282
        with open(file, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45a191a9cf26f16a Filesystem access.
pkgs/python/[email protected]/nltk/downloader.py:2303
        with open(file, "rb") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06d77208e2ef7d1e Environment-variable access.
pkgs/python/[email protected]/nltk/downloader.py:2720
        default=os.environ.get("NLTK_DOWNLOAD_URL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76b6706c6b080075 Filesystem access.
pkgs/python/[email protected]/nltk/draw/util.py:1870
        with open(filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb693c3218a2ee39 Environment-variable access.
pkgs/python/[email protected]/nltk/internals.py:545
        if env_var in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #264b90c53e726ec9 Environment-variable access.
pkgs/python/[email protected]/nltk/internals.py:548
                yield os.environ[env_var]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7ebe867edba214d Environment-variable access.
pkgs/python/[email protected]/nltk/internals.py:550
            for env_dir in os.environ[env_var].split(os.pathsep):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1304668630a3471 Environment-variable access.
pkgs/python/[email protected]/nltk/internals.py:727
        if env_var in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48351810e85cd79f Environment-variable access.
pkgs/python/[email protected]/nltk/internals.py:729
                classpath = os.environ["CLASSPATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa491c7aec880737 Environment-variable access.
pkgs/python/[email protected]/nltk/internals.py:767
                jar_env = os.path.expanduser(os.environ[env_var])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #47294f87ee3f6334 Filesystem access.
pkgs/python/[email protected]/nltk/metrics/agreement.py:440
    with open(options.file) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #29ed7153ea1666d3 Filesystem access.
pkgs/python/[email protected]/nltk/metrics/distance.py:297
    with open(file) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #876d3e3fedd5afe6 Filesystem access.
pkgs/python/[email protected]/nltk/parse/dependencygraph.py:225
        with open(filename) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #216ded4a80e26ae0 Filesystem access.
pkgs/python/[email protected]/nltk/parse/malt.py:207
                with open(output_file.name) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0709349a51d3156 Filesystem access.
pkgs/python/[email protected]/nltk/parse/transitionparser.py:542
            pickle.dump(model, open(modelfile, "wb"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6385e598cf4c3207 Filesystem access.
pkgs/python/[email protected]/nltk/parse/transitionparser.py:556
        with open(modelFile, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c017dfeb1e9d96f Environment-variable access.
pkgs/python/[email protected]/nltk/pathsec.py:39
    env_paths = os.environ.get("NLTK_DATA", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d5b9e9ac3cbc8bc0 Filesystem access.
pkgs/python/[email protected]/nltk/sem/chat80.py:677
        with open("chat_pnames.cfg", "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1dabeb425803c1a Filesystem access.
pkgs/python/[email protected]/nltk/sentiment/sentiment_analyzer.py:190
        with open(filename, "wb") as storage_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d4eb18b25e167cd1 Filesystem access.
pkgs/python/[email protected]/nltk/tag/perceptron.py:108
        with open(path, "w") as fout:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff587b0d0c41c024 Filesystem access.
pkgs/python/[email protected]/nltk/tag/perceptron.py:113
        with open(path) as fin:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a962112ef075e318 Filesystem access.
pkgs/python/[email protected]/nltk/tag/perceptron.py:272
            with open(path_join(loc, json_file), "w") as fout:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15c0a247e99fbf79 Filesystem access.
pkgs/python/[email protected]/nltk/tbl/demo.py:249
            with open(cache_baseline_tagger, "wb") as print_rules:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9bce1e0c689a5133 Filesystem access.
pkgs/python/[email protected]/nltk/tbl/demo.py:256
        with open(cache_baseline_tagger, "rb") as print_rules:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #12568ad419322ab6 Filesystem access.
pkgs/python/[email protected]/nltk/tbl/demo.py:317
        with open(error_output, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #681f50e738d3275a Filesystem access.
pkgs/python/[email protected]/nltk/tbl/demo.py:325
        with open(serialize_output, "wb") as print_rules:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5229e59b7389192d Filesystem access.
pkgs/python/[email protected]/nltk/tbl/demo.py:328
        with open(serialize_output, "rb") as print_rules:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73335da97e158c91 Filesystem access.
pkgs/python/[email protected]/nltk/tokenize/punkt.py:1593
        with open("/tmp/punkt.new", "w") as outfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7be903fa44281cfe Filesystem access.
pkgs/python/[email protected]/nltk/tokenize/punkt.py:1788
    with open(f"{dir}/collocations.tab", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e78727885cc979da Filesystem access.
pkgs/python/[email protected]/nltk/tokenize/punkt.py:1790
    with open(f"{dir}/sent_starters.txt", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac7c9242330445f8 Filesystem access.
pkgs/python/[email protected]/nltk/tokenize/punkt.py:1792
    with open(f"{dir}/abbrev_types.txt", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1b360338aecc42c Filesystem access.
pkgs/python/[email protected]/nltk/tokenize/punkt.py:1794
    with open(f"{dir}/ortho_context.tab", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71c4defc62f14d60 Environment-variable access.
pkgs/python/[email protected]/nltk/tokenize/stanford_segmenter.py:131
        if os.environ.get("STANFORD_SEGMENTER"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff38652b78975eb6 Environment-variable access.
pkgs/python/[email protected]/nltk/tokenize/stanford_segmenter.py:132
            search_path = {os.path.join(os.environ.get("STANFORD_SEGMENTER"), "data")}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6653f9d29038876 Filesystem access.
pkgs/python/[email protected]/nltk/tokenize/stanford_segmenter.py:290
            with open(file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83d1898ed840a474 Environment-variable access.
pkgs/python/[email protected]/nltk/tokenize/stanford_segmenter.py:296
            user_checksum = os.environ.get("NLTK_SEGMENTER_ALLOW_SHA256")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71d549726b6ea33b Filesystem access.
pkgs/python/[email protected]/nltk/twitter/common.py:142
        outf = open(outfile, "w", newline="", encoding=encoding, errors=errors)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8100a58ee1453ae2 Filesystem access.
pkgs/python/[email protected]/nltk/twitter/twitterclient.py:524
                self.output = open(self.fname, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #56eb6c8400f156e5 Environment-variable access.
pkgs/python/[email protected]/nltk/twitter/util.py:39
            self.twitter_dir = os.environ["TWITTER"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e518c78a75750999 Filesystem access.
pkgs/python/[email protected]/nltk/twitter/util.py:86
        with open(self.creds_fullpath) as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fa90e7b2180b562 Filesystem access.
pkgs/python/[email protected]/nltk/twitter/util.py:133
    with open(creds_file, "a") as infile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b111f46a0c446006 Filesystem access.
pkgs/python/[email protected]/setup.py:25
with open(version_file) as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d929c4d414bef544 Filesystem access.
pkgs/python/[email protected]/tools/find_deprecated.py:127
                s = open(os.path.join(root, filename)).read()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #506b82bfb501796d Filesystem access.
pkgs/python/[email protected]/tools/find_deprecated.py:160
            print_deprecated_uses_in(open(path).readline, path, dep_files, dep_names, 0)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #4a5bd63dc9cda5dc Filesystem access.
pkgs/python/[email protected]/tools/find_deprecated.py:162
            for example in DocTestParser().get_examples(open(path).read()):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #596bc682cb4e3956 Filesystem access.
pkgs/python/[email protected]/tools/global_replace.py:27
        s = open(file, "rb").read().decode("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #54e0446f43d179b0 Filesystem access.
pkgs/python/[email protected]/tools/global_replace.py:29
        out = open(file, "wb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6f31fd9a19ca757f Filesystem access.
pkgs/python/[email protected]/web/conf.py:65
    with open(
        os.path.join(web_folder, "_templates", "doctest.rst"), encoding="utf8"
    ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #444e551c14ffe305 Filesystem access.
pkgs/python/[email protected]/web/conf.py:88
    with open(os.path.join(web_folder, "team", "team.json"), encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6725888011a9c36 Filesystem access.
pkgs/python/[email protected]/web/conf.py:93
    with open(
        os.path.join(web_folder, "_templates", "team.html"), encoding="utf8"
    ) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

openpyxl

python dependency
expand_more 4 low-confidence finding(s)
low env_fs dependency Excluded from app score #41c74db1619a9823 Filesystem access.
pkgs/python/[email protected]/openpyxl/worksheet/_writer.py:379
        with open(self.out, "rb") as src:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9387973f77d4301 Environment-variable access.
pkgs/python/[email protected]/openpyxl/xml/__init__.py:23
    return os.environ.get("OPENPYXL_LXML", "True") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0fc537f7d3af8220 Environment-variable access.
pkgs/python/[email protected]/openpyxl/xml/__init__.py:39
    return os.environ.get("OPENPYXL_DEFUSEDXML", "True") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07f132ccddec11c1 Filesystem access.
pkgs/python/[email protected]/setup.py:24
    with open(os.path.join(here, 'README.rst')) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

opensearch-py

python dependency
expand_more 11 low-confidence finding(s)
low env_fs dependency Excluded from app score #399acb271faf64ac Environment-variable access.
pkgs/python/[email protected]/opensearchpy/_async/helpers/test.py:17
OPENSEARCH_URL = os.environ.get("OPENSEARCH_URL", "https://localhost:9200")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76eacf12a6e6f204 Environment-variable access.
pkgs/python/[email protected]/opensearchpy/connection/base.py:100
        if os.getenv("ELASTIC_CLIENT_APIVERSIONING") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75338ef1fae3a84b Environment-variable access.
pkgs/python/[email protected]/opensearchpy/connection/base.py:329
        ca_certs = os.environ.get("SSL_CERT_FILE") or os.environ.get("SSL_CERT_DIR")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7545f7e2b9a66fc7 Environment-variable access.
pkgs/python/[email protected]/opensearchpy/helpers/test.py:37
OPENSEARCH_URL = os.environ.get("OPENSEARCH_URL", "https://localhost:9200")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c4f66b21fdfe0ef Environment-variable access.
pkgs/python/[email protected]/opensearchpy/helpers/test.py:44
    if "PYTHON_CONNECTION_CLASS" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88a5a3ff1478880e Environment-variable access.
pkgs/python/[email protected]/opensearchpy/helpers/test.py:48
            connection, os.environ["PYTHON_CONNECTION_CLASS"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd75476f63301cc7 Environment-variable access.
pkgs/python/[email protected]/opensearchpy/helpers/test.py:107
if "OPENSEARCH_VERSION" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41fec3bc01b39dba Environment-variable access.
pkgs/python/[email protected]/opensearchpy/helpers/test.py:108
    OPENSEARCH_VERSION = _get_version(os.environ["OPENSEARCH_VERSION"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e74584f949224982 Environment-variable access.
pkgs/python/[email protected]/opensearchpy/helpers/test.py:113
            http_auth=("admin", os.getenv("OPENSEARCH_PASSWORD", "admin")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bcb5900a4cd3c34 Filesystem access.
pkgs/python/[email protected]/setup.py:37
with open(
    join(BASE_DIR, PACKAGE_NAME.replace("-", ""), "_version.py"), encoding="utf-8"
) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27c8f2a40de44370 Filesystem access.
pkgs/python/[email protected]/setup.py:47
with open(join(BASE_DIR, "README.md"), encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pandas

python dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #f10e771816609217 Filesystem access.
pkgs/python/[email protected]/generate_pxi.py:8
    with open(pxifile, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #550d6d4f053cbfbd Filesystem access.
pkgs/python/[email protected]/generate_pxi.py:12
    with open(outfile, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73d962648e506d93 Environment-variable access.
pkgs/python/[email protected]/generate_version.py:25
    if os.environ.get("MESON_DIST_ROOT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00deec4ac4489e97 Environment-variable access.
pkgs/python/[email protected]/generate_version.py:26
        path = os.path.join(os.environ.get("MESON_DIST_ROOT"), path)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92f71deb224f635a Filesystem access.
pkgs/python/[email protected]/generate_version.py:27
    with open(path, "w", encoding="utf-8") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06f6fcfaf320a7e7 Environment-variable access.
pkgs/python/[email protected]/pandas/_testing/contexts.py:76
                    del os.environ["TZ"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bc651a9ed72e7ac1 Environment-variable access.
pkgs/python/[email protected]/pandas/_testing/contexts.py:80
                os.environ["TZ"] = tz

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4b6c3cb4dd76a35 Environment-variable access.
pkgs/python/[email protected]/pandas/_testing/contexts.py:85
    orig_tz = os.environ.get("TZ")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acc358cb99cb582a Filesystem access.
pkgs/python/[email protected]/pandas/_version.py:159
        with open(versionfile_abs, encoding="utf-8") as fobj:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a5d2a634b732598 Environment-variable access.
pkgs/python/[email protected]/pandas/_version.py:264
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bc729fe32de5dd8 Environment-variable access.
pkgs/python/[email protected]/pandas/compat/__init__.py:154
    return os.environ.get("PANDAS_CI", "0") == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34dd2731bd1649dc Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:425
        if os.environ.get("PANDAS_COPY_ON_WRITE", "0") == "warn"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cc03d4b7111b1dc Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:426
        else os.environ.get("PANDAS_COPY_ON_WRITE", "1") == "1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a0ae27fdbf1c828 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:878
        False if os.environ.get("PANDAS_FUTURE_INFER_STRING", "1") == "0" else True,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa24e0bd78fe08e1 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:895
        os.environ.get("PANDAS_FUTURE_DISTINGUISH_NAN_AND_NA", "0") == "1",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #210ecc701ef7edc8 Environment-variable access.
pkgs/python/[email protected]/pandas/core/config_init.py:906
        False if os.environ.get("PANDAS_FUTURE_PYTHON_SCALARS", "0") == "0" else True,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fdabbf0134b7c12 Filesystem access.
pkgs/python/[email protected]/pandas/core/series.py:1573
            with open(buf, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #909a12b4f545cc60 Environment-variable access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:74
HAS_DISPLAY = os.getenv("DISPLAY")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da3e0edab17fb13a Filesystem access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:302
        with open("/dev/clipboard", "w", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84dd3853804899e8 Filesystem access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:306
        with open("/dev/clipboard", encoding="utf-8") as fd:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c3ba81ddb0f3831e Environment-variable access.
pkgs/python/[email protected]/pandas/io/clipboard/__init__.py:569
        if os.environ.get("WAYLAND_DISPLAY") and _executable_exists("wl-copy"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #320954ae7e2e410c Filesystem access.
pkgs/python/[email protected]/pandas/io/common.py:930
            handle = open(
                handle,
                ioargs.mode,
                encoding=ioargs.encoding,
                errors=errors,
                newline="",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #349e2877fdc2a53b Filesystem access.
pkgs/python/[email protected]/pandas/io/common.py:939
            handle = open(handle, ioargs.mode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a208180196fd6b93 Filesystem access.
pkgs/python/[email protected]/pandas/io/common.py:1192
        handle = open(handle, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #655c233ee8baa8aa Filesystem access.
pkgs/python/[email protected]/pandas/io/formats/format.py:1076
        with open(buf, "w", encoding=encoding, newline="") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #643b081f3173dcbd Environment-variable access.
pkgs/python/[email protected]/pandas/util/_print_versions.py:57
        "LC_ALL": os.environ.get("LC_ALL"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1c92057b68671e7 Environment-variable access.
pkgs/python/[email protected]/pandas/util/_print_versions.py:58
        "LANG": os.environ.get("LANG"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8bed65dcf975739 Filesystem access.
pkgs/python/[email protected]/pandas/util/_print_versions.py:148
            with open(as_json, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

psutil

python dependency
expand_more 27 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #74c4140fea8a763c Filesystem access.
pkgs/python/[email protected]/docs/conf.py:39
    with open(INIT) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24f3b915b6bbfb42 Environment-variable access.
pkgs/python/[email protected]/psutil/_common.py:34
PSUTIL_DEBUG = bool(os.getenv('PSUTIL_DEBUG'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0e57ae31a624b1c3 Filesystem access.
pkgs/python/[email protected]/psutil/_common.py:682
    return open(fname, "rb", buffering=FILE_READ_BUFFER_SIZE)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d461f24a9faabc5e Filesystem access.
pkgs/python/[email protected]/psutil/_common.py:692
    fobj = open(  # noqa: SIM115
        fname,
        buffering=FILE_READ_BUFFER_SIZE,
        encoding=ENCODING,
        errors=ENCODING_ERRS,
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f841dc2e27b2c6de Environment-variable access.
pkgs/python/[email protected]/psutil/_psaix.py:375
        for path in os.environ["PATH"].split(":"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ad19e2fc9c6f46f Filesystem access.
pkgs/python/[email protected]/psutil/_psbsd.py:142
        with open('/proc/meminfo', 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84bb1f85b27e5e16 Filesystem access.
pkgs/python/[email protected]/psutil/_psbsd.py:276
        with open('/proc/stat', 'rb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0395f7598c69df78 Environment-variable access.
pkgs/python/[email protected]/psutil/_pssunos.py:119
            f"PATH=/usr/sbin:/sbin:{os.environ['PATH']}",

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #dfaacbbcc589989c Filesystem access.
pkgs/python/[email protected]/scripts/internal/convert_readme.py:33
    with open(args.file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #edd6abf40dab2e72 Filesystem access.
pkgs/python/[email protected]/scripts/internal/download_wheels.py:64
    with open(OUTFILE, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #370d81c5b043a8e5 Filesystem access.
pkgs/python/[email protected]/scripts/internal/download_wheels.py:87
        with open(os.path.expanduser(args.tokenfile)) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #31489800f9ef7a43 Filesystem access.
pkgs/python/[email protected]/scripts/internal/find_broken_links.py:98
    with open(fname) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1cd36a3e3d67bf90 Filesystem access.
pkgs/python/[email protected]/scripts/internal/find_broken_links.py:113
    with open(fname) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #62347a6f105017ff Filesystem access.
pkgs/python/[email protected]/scripts/internal/find_broken_links.py:134
    with open(fname) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d62842cff652ab5f Filesystem access.
pkgs/python/[email protected]/scripts/internal/find_broken_links.py:164
    with open(fname, errors='ignore') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #70e961ce793248c4 Filesystem access.
pkgs/python/[email protected]/scripts/internal/find_broken_links.py:178
        with open(fname, errors='ignore') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #259dbb63c6ffc6e9 Filesystem access.
pkgs/python/[email protected]/scripts/internal/git_pre_commit.py:156
    with open("MANIFEST.in", encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress tooling Excluded from app score unreachable #603ec73b0c59125b Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/scripts/internal/install_pip.py:34
        req = urlopen(URL, **kwargs)

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs tooling Excluded from app score unreachable #5b2e8c851f804108 Filesystem access.
pkgs/python/[email protected]/scripts/internal/print_announce.py:81
    with open(HISTORY) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #733a8f7bed77d479 Environment-variable access.
pkgs/python/[email protected]/scripts/internal/print_downloads.py:42
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b3023fb45964e551 Filesystem access.
pkgs/python/[email protected]/scripts/internal/print_hashes.py:18
    with open(file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1ecbcc9cbcd963be Filesystem access.
pkgs/python/[email protected]/scripts/internal/purge_installation.py:56
                with open(path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e582bfa608d477e1 Filesystem access.
pkgs/python/[email protected]/scripts/internal/purge_installation.py:64
                    with open(path, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63ca15f035091bf7 Environment-variable access.
pkgs/python/[email protected]/setup.py:46
        if "CIBUILDWHEEL" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #15e611a3b2679e27 Filesystem access.
pkgs/python/[email protected]/setup.py:142
    with open(INIT) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff189f31d243a43d Environment-variable access.
pkgs/python/[email protected]/setup.py:258
        if os.getenv('CC'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #840febbcf4dfc9a0 Environment-variable access.
pkgs/python/[email protected]/setup.py:259
            compiler.set_executable('compiler_so', os.getenv('CC'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

psycopg

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #5e2d1c0928c3bafb Environment-variable access.
pkgs/python/[email protected]/psycopg/_conninfo_utils.py:81
    if (env := os.environ.get(paramdef.envvar)) is not None:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb3dccc6dc89aff0 Environment-variable access.
pkgs/python/[email protected]/psycopg/_dns.py:138
        if params.get("hostaddr", os.environ.get("PGHOSTADDR", "")):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4544e5b5b070291d Environment-variable access.
pkgs/python/[email protected]/psycopg/_dns.py:141
        host_arg: str = params.get("host", os.environ.get("PGHOST", ""))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #712e3900be8338ab Environment-variable access.
pkgs/python/[email protected]/psycopg/_dns.py:143
        port_arg: str = str(params.get("port", os.environ.get("PGPORT", "")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64456b5fbda1fb3e Environment-variable access.
pkgs/python/[email protected]/psycopg/pq/__init__.py:61
    impl = os.environ.get("PSYCOPG_IMPL", "").lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bd446da626abf458 Filesystem access.
pkgs/python/[email protected]/psycopg/pq/_pq_ctypes.py:807
    with open(fn) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a66912efdf5fb009 Filesystem access.
pkgs/python/[email protected]/psycopg/pq/_pq_ctypes.py:838
    with open(fn, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c0771a748f7931f Environment-variable access.
pkgs/python/[email protected]/psycopg/waiting.py:437
if "PSYCOPG_WAIT_FUNC" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c0ac063b2928952 Environment-variable access.
pkgs/python/[email protected]/psycopg/waiting.py:438
    fname = os.environ["PSYCOPG_WAIT_FUNC"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

psycopg2-binary

python dependency
expand_more 12 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #6d404b6f4967e478 Filesystem access.
pkgs/python/[email protected]/doc/src/tools/make_sqlstate_docs.py:16
    with open(clsfile) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d5b4ed6d7ca71c44 Filesystem access.
pkgs/python/[email protected]/scripts/make_errorcodes.py:40
    f = open(filename, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #92da985ea970d826 Filesystem access.
pkgs/python/[email protected]/scripts/make_errorcodes.py:49
    for line in open(filename):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #257cb101062655e4 Filesystem access.
pkgs/python/[email protected]/scripts/make_errors.py:34
    f = open(filename, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #53c2f57666ac1cf3 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:47
    f1 = open(f'debug-{(opt.nruns - 1):02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #06c7f675173af120 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:48
    f2 = open(f'debug-{opt.nruns:02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #20f59cfca661893f Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:56
        f1 = open(f'objs-{(opt.nruns - 1):02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #306fe8e009c3de17 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:57
        f2 = open(f'objs-{opt.nruns:02}.txt').readlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a9d715aa40611823 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:88
        stream=open(f"debug-{i:02}.txt", "w"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #68f679aae60da536 Filesystem access.
pkgs/python/[email protected]/scripts/refcounter.py:103
        pprint(co, stream=open(f"objs-{i:02}.txt", "w"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #959f6222d62f1fef Environment-variable access.
pkgs/python/[email protected]/setup.py:125
            path_directories = os.environ['PATH'].split(os.pathsep)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8db2164b142ba5d6 Filesystem access.
pkgs/python/[email protected]/setup.py:511
    f = open("README.rst")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pyarrow

python dependency
expand_more 19 low-confidence finding(s)
low env_fs dependency Excluded from app score #15effc6c9558c51d Environment-variable access.
pkgs/python/[email protected]/pyarrow/__init__.py:311
    return _os.environ.get('PKG_CONFIG', 'pkg-config')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9c3495cb766f5379 Environment-variable access.
pkgs/python/[email protected]/pyarrow/__init__.py:400
    pkg_config_executable = _os.environ.get('PKG_CONFIG') or 'pkg-config'

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1014db7921da30c Environment-variable access.
pkgs/python/[email protected]/pyarrow/__init__.py:432
    if _os.environ.get('ARROW_HOME'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61a3cac98bc080c2 Environment-variable access.
pkgs/python/[email protected]/pyarrow/__init__.py:433
        append_library_dir(_os.path.join(_os.environ['ARROW_HOME'], 'lib'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #929599e6a31dd459 Environment-variable access.
pkgs/python/[email protected]/pyarrow/ipc.py:138
            bool(int(os.environ.get('ARROW_PRE_0_15_IPC_FORMAT', '0')))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e43821614ccba451 Environment-variable access.
pkgs/python/[email protected]/pyarrow/ipc.py:139
    if bool(int(os.environ.get('ARROW_PRE_1_0_METADATA_VERSION', '0'))):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83ae1c06f3583475 Filesystem access.
pkgs/python/[email protected]/pyarrow/util.py:236
        with open(out_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bee5c3a010bae7b Filesystem access.
pkgs/python/[email protected]/pyarrow/util.py:243
        with open(out_path, 'wb') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b02836620665551 Environment-variable access.
pkgs/python/[email protected]/setup.py:166
        self.cmake_generator = os.environ.get('PYARROW_CMAKE_GENERATOR')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c42541eab5c53b0 Environment-variable access.
pkgs/python/[email protected]/setup.py:169
        self.extra_cmake_args = os.environ.get('PYARROW_CMAKE_OPTIONS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2fc77c583909dcd Environment-variable access.
pkgs/python/[email protected]/setup.py:170
        self.build_type = os.environ.get('PYARROW_BUILD_TYPE',

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4be5614669de9b43 Environment-variable access.
pkgs/python/[email protected]/setup.py:170
        self.build_type = os.environ.get('PYARROW_BUILD_TYPE',
                                         'release').lower()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d6e959908ddcb6c Environment-variable access.
pkgs/python/[email protected]/setup.py:173
        self.cmake_cxxflags = os.environ.get('PYARROW_CXXFLAGS', '')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe442f2f5870a82f Environment-variable access.
pkgs/python/[email protected]/setup.py:196
            os.environ.get('PYARROW_GENERATE_COVERAGE', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #880be9d32bf013ec Environment-variable access.
pkgs/python/[email protected]/setup.py:198
            os.environ.get('PYARROW_BUNDLE_ARROW_CPP', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4936c43b91da272c Environment-variable access.
pkgs/python/[email protected]/setup.py:200
            os.environ.get('PYARROW_BUNDLE_CYTHON_CPP', '0'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b0188289b1cb8c2 Filesystem access.
pkgs/python/[email protected]/setup.py:255
                cachefile = open('CMakeCache.txt', 'r')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f00eefc5d05326d9 Environment-variable access.
pkgs/python/[email protected]/setup.py:327
                if os.environ.get('PYARROW_BUILD_VERBOSE', '0') == '1':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #76c9bc947eee2c57 Environment-variable access.
pkgs/python/[email protected]/setup.py:329
                parallel = os.environ.get('PYARROW_PARALLEL')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pydantic

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #426335c0fd5976f0 Filesystem access.
pkgs/python/[email protected]/pydantic/deprecated/parse.py:71
    b = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #831e468f1695e45c Environment-variable access.
pkgs/python/[email protected]/pydantic/json_schema.py:344
                if os.getenv('PYDANTIC_PRIVATE_ALLOW_UNHANDLED_SCHEMA_TYPES'):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6d131ba3cfa65a80 Filesystem access.
pkgs/python/[email protected]/pydantic/mypy.py:1411
    with open(config_file, 'rb') as rf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a04544a917acbeed Environment-variable access.
pkgs/python/[email protected]/pydantic/plugin/_loader.py:27
    disabled_plugins = os.getenv('PYDANTIC_DISABLE_PLUGINS')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a4127af10f165a3 Environment-variable access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:173
            env_vars: Mapping[str, Optional[str]] = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2748264e08420070 Environment-variable access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:175
            env_vars = {k.lower(): v for k, v in os.environ.items()}

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7c8d7f9c3afbe84 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/env_settings.py:307
                    secret_value = path.read_text().strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b74ce400e6f6832 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/mypy.py:948
    with open(config_file, read_mode) as rf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2092069a36d15cb6 Filesystem access.
pkgs/python/[email protected]/pydantic/v1/parse.py:57
    b = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pydub

python dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #9f848bc6f5a02500 Filesystem access.
pkgs/python/[email protected]/pydub/audio_segment.py:571
            file = open(orig_file, buffering=2 ** 13 - 1, mode='rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a4e000f100f7e3e Filesystem access.
pkgs/python/[email protected]/pydub/audio_segment.py:615
        with open(os.devnull, 'rb') as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #589d351958ebfe0c Filesystem access.
pkgs/python/[email protected]/pydub/audio_segment.py:962
        with open(os.devnull, 'rb') as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49ac6882030839d4 Filesystem access.
pkgs/python/[email protected]/pydub/utils.py:60
        fd = open(fd, mode=mode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6512c94770dd1bf Filesystem access.
pkgs/python/[email protected]/pydub/utils.py:65
            fd = open(fd, mode=mode)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfbd5e1f67964e7d Environment-variable access.
pkgs/python/[email protected]/pydub/utils.py:152
    envdir_list = [os.curdir] + os.environ["PATH"].split(os.pathsep)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pymdown-extensions

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #66478a90d537efd0 Filesystem access.
pkgs/python/[email protected]/pymdownx/b64.py:86
                    with open(file_name, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d5649103fad3f5d Filesystem access.
pkgs/python/[email protected]/pymdownx/snippets.py:366
                        with open(snippet, 'r', encoding=self.encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pymongo

python dependency
expand_more 113 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #614ebf6b2b1cc0cd Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/generate_config_utils.py:292
    data = target.read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #cdac61aadfc2f00b Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/generate_config_utils.py:321
    data = target.read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #de00d8d4d3a49fbe Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/generate_config_utils.py:354
    data = target.read_text().splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b3eddc89395b64de Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:64
    base_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #347328d4ddf06cdc Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:99
            os.environ["AZUREKMS_VMNAME_PREFIX"] = "PYTHON_DRIVER"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3bcff3087b9fd20c Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:102
            os.environ[

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #32da2a0b5b67f295 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:102
            os.environ[
                "AZUREKMS_IMAGE"
            ] = "Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7f999d5f2559c94e Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:106
            os.environ["GCPKMS_IMAGEFAMILY"] = "debian-12"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #70167ebeb8e95501 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:128
        key_name = os.environ["KEY_NAME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #62303aaab62b1197 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/kms_tester.py:129
        key_vault_endpoint = os.environ["KEY_VAULT_ENDPOINT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7eaa1360b1da2929 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:26
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #2e7c1d081f2f3edc Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:64
        LOGGER.error(Path("error_log").read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b9777e74c7e200d8 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:72
    uri1 = os.environ["TEST_URI1"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #540df3d4e9161360 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:73
    uri2 = os.environ["TEST_URI2"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bc056c262822419f Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:81
        LOGGER.error(Path("error_log").read_text())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #32d5e1e221b13a1d Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:86
    apache = os.environ["APACHE_BINARY"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e3a7fc30b10e48fc Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/mod_wsgi_tester.py:87
    apache_config = os.environ["APACHE_CONFIG"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5410cb9a0ed89410 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:34
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #daa165011cc6e92f Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:36
    if sub_test_name == "eks" and "AWS_ACCESS_KEY_ID" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5717d5dc05d04436 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:39
            if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3cd65e180dbe4df1 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:40
                write_env(key, os.environ[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5c10666a8088c05b Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:62
        return os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #66a0b8217e2d5817 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/oidc_tester.py:84
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0ddc4034ae8bf0df Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/resync-all-specs.py:63
    spec_dir = pathlib.Path(os.environ["MDB_SPECS"]) / "source"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d2e001c2f5670153 Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/resync-all-specs.py:126
            with open(filename, "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f931309b6c308abc Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:10
    os.environ[name] = str(value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #78d707460d2b0f31 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:22
    if "VERSION" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6f26e6a9e6d08c85 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:23
        os.environ["MONGODB_VERSION"] = os.environ["VERSION"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #93c85beae0f9cb00 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:32
        os.environ["TOPOLOGY"] = "replica_set"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9fd9d2ea4fd5de2d Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:33
        os.environ["MONGODB_VERSION"] = "7.0"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #f51c599e9140de70 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_server.py:35
    if not os.environ.get("TEST_CRYPT_SHARED"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #8bb3590360af6696 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:24
AUTH = os.environ.get("AUTH", "noauth")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b75bc2142beda6ad Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:25
SSL = os.environ.get("SSL", "nossl")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #fe8bd6361dfaf893 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:26
UV_ARGS = os.environ.get("UV_ARGS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b09cfe08ba3ef2a0 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:27
TEST_PERF = os.environ.get("TEST_PERF")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #21cd4ef1780a66ca Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:28
GREEN_FRAMEWORK = os.environ.get("GREEN_FRAMEWORK")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #626fb50599db4a0d Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:29
TEST_ARGS = os.environ.get("TEST_ARGS", "").split()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #61e9befde8eadfc5 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:30
TEST_NAME = os.environ.get("TEST_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3fad5d0d7c2d5301 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:31
SUB_TEST_NAME = os.environ.get("SUB_TEST_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c01901d5b64ae793 Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:53
    with open("results.json") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9e16914f2799136d Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:68
    with open("report.json", "w", newline="\n") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #5d69cf9258070084 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:106
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #63376369440b2a59 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:150
    if not os.environ.get("NO_EXT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #800d4c182a227763 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:153
    if os.environ.get("PYMONGOCRYPT_LIB"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #334569b9140beef9 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:204
    if os.environ.get("DEBUG_LOG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6ddab7224b717f11 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/run_tests.py:207
    if os.environ.get("COVERAGE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #105cb8da22715909 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:57
    value = os.environ.get(var, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7df319123c4ca06d Filesystem access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:65
    with open("/etc/os-release") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #946b0c7b54f9de7f Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:111
        url = os.environ["LIBMONGOCRYPT_URL"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low pii_flow tooling Excluded from app score unreachable #09b6e19c1ca70c01 User/PII-bearing data read from the environment or filesystem flows to an external network call. This is potential data exfiltration. Non-production path — not application runtime.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:116 · flow /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:111 → /tmp/closeopen-cqchdknf/pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:116
    with request.urlopen(request.Request(url), timeout=15.0) as response:  # noqa: S310

User/PII-bearing data flows to an external sink — the classic data-exfiltration shape.

Fix: Confirm no user identifiers reach this sink; redact/hash before sending, or remove the flow.

low env_fs tooling Excluded from app score unreachable #04bb03b7593149df Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:181
            write_env(var, os.environ.get(var, getattr(opts, var.lower(), "")))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ab83b343d613ccfc Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:200
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #32797f2a6ef50869 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:223
        if "AWS_ACCESS_KEY_ID" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #782a7b82da3678bb Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:225
                if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e2d49ef97f23d272 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:226
                    write_env(key, os.environ[key])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bd70add2c0411eb9 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:268
            os.environ["KRB5_CONFIG"] = str(krb_conf)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #06108df7f0e46b81 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:281
        SINGLE_MONGOS_LB_URI = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #663f8b4c40362431 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:281
        SINGLE_MONGOS_LB_URI = os.environ.get(
            "SINGLE_MONGOS_LB_URI", "mongodb://127.0.0.1:8000/?loadBalanced=true"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #fb473a19c4dbfaf3 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:284
        MULTI_MONGOS_LB_URI = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #ccfb31e5e4796a9f Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:284
        MULTI_MONGOS_LB_URI = os.environ.get(
            "MULTI_MONGOS_LB_URI", "mongodb://127.0.0.1:8001/?loadBalanced=true"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aa4a3c9d2ead2cb4 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:304
            os.environ["OCSP_SERVER_TYPE"] = sub_test_name

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3930a53ca7069ae6 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:306
            if name not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #9b70c407559497d5 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:309
        server_type = os.environ["OCSP_SERVER_TYPE"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6cce9188d67cc877 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:310
        orch_file = os.environ["ORCHESTRATION_FILE"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c4ded65c16969dfa Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:321
            env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #7aa303ee6a47b96a Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:328
        version = os.environ.get("VERSION", "latest")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d21eec1da0933499 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:349
    compressors = os.environ.get("COMPRESSORS") or opts.compressor

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c73aaf29d657b2b0 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:412
        if "AWS_ROLE_SESSION_NAME" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #41de860acbb7dfb2 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/setup_tests.py:472
        framework = opts.green_framework or os.environ["GREEN_FRAMEWORK"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #24b164a46ed44258 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:10
TEST_NAME = os.environ.get("TEST_NAME", "unconfigured")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1e9bdf58bc6a9b3c Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:11
SUB_TEST_NAME = os.environ.get("SUB_TEST_NAME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0df0c4fb79c72c0e Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:52
    Path(os.environ["OUTPUT_FILE"]).unlink(missing_ok=True)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d62d4655139f1f7f Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/teardown_tests.py:61
if os.environ.get("COVERAGE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6d18ccd906b59f58 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:15
DRIVERS_TOOLS = os.environ.get("DRIVERS_TOOLS", "").replace(os.sep, "/")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #11c61426549ad027 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:169
        if env_var in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #581dcc75f4780927 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:173
                opts.auth = os.environ.get("AUTH") == "auth"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #deb029bfde4e73ce Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:175
                ssl_opt = os.environ.get("SSL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d8356d9be183a4ad Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:178
                if os.environ[env_var]:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #233fff30aa974ce3 Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:181
                setattr(opts, key, os.environ[env_var])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d342383baa612e0a Environment-variable access.
pkgs/python/[email protected]/.evergreen/scripts/utils.py:211
    env = kwargs.pop("env", os.environ).copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62fec7c1eb06da4c Environment-variable access.
pkgs/python/[email protected]/_setup.py:71
            if os.environ.get("PYMONGO_C_EXT_MUST_BUILD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26827bd4f26c24ec Environment-variable access.
pkgs/python/[email protected]/_setup.py:88
            if "ProgramFiles" in os.environ and "ProgramFiles(x86)" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62706435cb03d1f2 Environment-variable access.
pkgs/python/[email protected]/_setup.py:89
                os.environ["ProgramFiles(x86)"] = os.environ["ProgramFiles"] + " (x86)"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f35629ea93e11fcc Environment-variable access.
pkgs/python/[email protected]/_setup.py:94
            if os.environ.get("PYMONGO_C_EXT_MUST_BUILD"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #63043c3c9e271bd3 Environment-variable access.
pkgs/python/[email protected]/_setup.py:127
if "--no_ext" in sys.argv or os.environ.get("NO_EXT"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0a8f440ecfd7c0bb Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:81
        token_file = os.environ.get("OIDC_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8600f9e8954fa4e6 Filesystem access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:86
        with open(token_file) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #894a7ecbbad1d78e Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:92
        token_file = os.environ.get("AWS_WEB_IDENTITY_TOKEN_FILE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e7961f117287d07 Filesystem access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:97
        with open(token_file) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3752b301b68a5d58 Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:129
        if key in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b17178f8f623c39f Environment-variable access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:130
            fname = os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d561ad92cfddc7fa Filesystem access.
pkgs/python/[email protected]/pymongo/auth_oidc_shared.py:131
    with open(fname) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b3a3ac030db24fa Filesystem access.
pkgs/python/[email protected]/pymongo/common.py:238
    open(value).close()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa4e7cc738df9cbc Filesystem access.
pkgs/python/[email protected]/pymongo/daemon.py:64
            with open(os.devnull, "r+b") as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f986f527d2fe181b Filesystem access.
pkgs/python/[email protected]/pymongo/daemon.py:95
            with open(os.devnull, "r+b") as devnull:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #daed001b5f85c824 Environment-variable access.
pkgs/python/[email protected]/pymongo/logger.py:165
        document_length = int(os.getenv("MONGOB_LOG_MAX_DOCUMENT_LENGTH", _DEFAULT_DOCUMENT_LENGTH))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f17248646c6b070c Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:78
        "architecture": os.environ.get("PROCESSOR_ARCHITECTURE") or platform.machine(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7acf09703e77a5a7 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:119
    if os.getenv(ENV_VAR_K8S):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d136ccccae9d677 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:126
    if os.getenv("AWS_LAMBDA_RUNTIME_API"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4accd5c1ed693cd Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:128
    env = os.getenv("AWS_EXECUTION_ENV")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #001246c7ff50f0ae Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:135
    return bool(os.getenv("FUNCTIONS_WORKER_RUNTIME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd195c33725ba5d1 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:139
    return bool(os.getenv("K_SERVICE") or os.getenv("FUNCTION_NAME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #92a2f23375e9f0ac Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:143
    return bool(os.getenv("VERCEL"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3244fe477a18e3c1 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:152
    val = os.getenv(key)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9262715082b49e97 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:171
        region = os.getenv("AWS_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8da134b065812a14 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:181
        region = os.getenv("FUNCTION_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b247b8ceba92e38 Environment-variable access.
pkgs/python/[email protected]/pymongo/pool_options.py:192
        region = os.getenv("VERCEL_REGION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bd230964c82ad33e Filesystem access.
pkgs/python/[email protected]/tools/compare_import_time.py:23
    with open(f"pymongo-{sha}.log") as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #6481e070638b3a87 Filesystem access.
pkgs/python/[email protected]/tools/convert_test_to_async.py:123
    with open(input_file, "r+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #aeb98bd19bfaea09 Filesystem access.
pkgs/python/[email protected]/tools/convert_test_to_async.py:127
        with open(output_file, "w+") as f2:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #12f70b76d11d21d9 Filesystem access.
pkgs/python/[email protected]/tools/ensure_future_annotations_import.py:29
        with open(path) as fid:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #da5824f959a81450 Filesystem access.
pkgs/python/[email protected]/tools/synchro.py:290
            with open(file, "r+") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #0c9063ad070525a6 Environment-variable access.
pkgs/python/[email protected]/tools/synchro.py:442
            and "OVERRIDE_SYNCHRO_CHECK" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pypandoc

python dependency
expand_more 15 low-confidence finding(s)
low env_fs dependency Excluded from app score #d5b38bce51d00f38 Filesystem access.
pkgs/python/[email protected]/binary/hatch_build.py:67
            with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #964b3e2fc21a1ab6 Filesystem access.
pkgs/python/[email protected]/binary/hatch_build.py:78
        with open(init_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #865639fd0eccce40 Filesystem access.
pkgs/python/[email protected]/binary/hatch_build.py:87
        with open(readme_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1795cb44065df892 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:496
    new_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d7f18489df0236f7 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:725
    new_env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fff4f52b3a84a459 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:729
    if "HOME" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc95cea6317fc92c Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:856
            if os.getenv("ProgramFiles", None):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e843379b99fd9b6 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:863
            if os.getenv("ProgramFiles(x86)", None):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71aaa01186b6386c Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:878
        if os.getenv("PYPANDOC_PANDOC", None):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7cee9f4c713d720 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:879
            search_paths = [os.getenv("PYPANDOC_PANDOC")]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bfef3b5c2f9fd40 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:979
        os.environ["PATH"] = (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f2a22f1ba7adf427 Environment-variable access.
pkgs/python/[email protected]/pypandoc/__init__.py:980
            os.environ.get("PATH", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33446687e2273aa9 Environment-variable access.
pkgs/python/[email protected]/pypandoc/_cli.py:20
    env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5731c049026bd311 Environment-variable access.
pkgs/python/[email protected]/pypandoc/pandoc_download.py:51
    github_token = os.environ.get("GITHUB_TOKEN", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e3da3bf7f539c919 Filesystem access.
pkgs/python/[email protected]/pypandoc/pandoc_download.py:333
        with open(filename, "wb") as out_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pypdf

python dependency
expand_more 9 low-confidence finding(s)
low env_fs dependency Excluded from app score #c3e5450008e2cbb1 Filesystem access.
pkgs/python/[email protected]/pypdf/_page.py:1896
            debug_path.joinpath("fonts.json").write_text(
                json.dumps(fonts, indent=2, default=asdict),
                "utf-8"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #017093e68b8ac7c1 Filesystem access.
pkgs/python/[email protected]/pypdf/_reader.py:168
            with open(stream, "rb") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fd46d31ae73c1ba9 Filesystem access.
pkgs/python/[email protected]/pypdf/_text_extraction/_layout_mode/_fixed_width_page.py:250
        debug_path.joinpath("bt_groups.json").write_text(
            json.dumps(ty_groups, indent=2, default=str), "utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07be80ea1fa11edf Filesystem access.
pkgs/python/[email protected]/pypdf/_text_extraction/_layout_mode/_fixed_width_page.py:316
        debug_path.joinpath("bts.json").write_text(
            json.dumps(bt_groups, indent=2, default=str), "utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9dbea906d8b8042c Filesystem access.
pkgs/python/[email protected]/pypdf/_text_extraction/_layout_mode/_fixed_width_page.py:319
        debug_path.joinpath("tjs.json").write_text(
            json.dumps(
                tj_ops, indent=2, default=lambda x: getattr(x, "to_dict", str)(x)
            ),
            "utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a66dcceb296fc0bb Filesystem access.
pkgs/python/[email protected]/pypdf/_utils.py:368
    with open("pypdf_pdfLocation.txt", "wb") as output_fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #159f7bc34a99efe4 Filesystem access.
pkgs/python/[email protected]/pypdf/_writer.py:231
                with open(fileobj, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e48f9f53b4cb79d Environment-variable access.
pkgs/python/[email protected]/pypdf/filters.py:719
            environment = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #fc433661f156c2cc Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/resources/afm_to_dataclass.py:24
        with urllib.request.urlopen(
            f"https://{FONT_LOC}"
        ) as connection, ZipFile(BytesIO(

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

pytest

python dependency
expand_more 433 low-confidence finding(s)
low env_fs dependency Excluded from app score #213fe98f40b56be0 Environment-variable access.
pkgs/python/[email protected]/doc/en/conf.py:272
    os.getenv("READTHEDOCS", "False") == "True"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43f0a68a6f18c4c2 Environment-variable access.
pkgs/python/[email protected]/doc/en/conf.py:273
    and os.environ["READTHEDOCS_VERSION_TYPE"] == "tag"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae6bcf925237c87f Filesystem access.
pkgs/python/[email protected]/doc/en/example/customdirectory/conftest.py:16
        manifest = json.loads(manifest_path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #446149185e970535 Filesystem access.
pkgs/python/[email protected]/doc/en/example/multipython.py:36
        dumpfile.write_text(
            textwrap.dedent(
                rf"""
                import pickle
                f = open({str(self.picklefile)!r}, 'wb')
                s = pickle.dump({obj!r}, f, protocol=2)
                f.close()
                """
            )
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27920e36037c3ba6 Filesystem access.
pkgs/python/[email protected]/doc/en/example/multipython.py:50
        loadfile.write_text(
            textwrap.dedent(
                rf"""
                import pickle
                f = open({str(self.picklefile)!r}, 'rb')
                obj = pickle.load(f)
                f.close()
                res = eval({expression!r})
                if not res:
                    raise SystemExit(1)
                """
            )
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cce85e4eb9338fe Filesystem access.
pkgs/python/[email protected]/extra/get_issues.py:41
        cachefile.write_text(json.dumps(issues), "utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b56191054a4fb01 Filesystem access.
pkgs/python/[email protected]/extra/get_issues.py:43
        issues = json.loads(cachefile.read_text("utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #470a8953ffaaa844 Filesystem access.
pkgs/python/[email protected]/scripts/generate-gh-release-notes.py:24
    changelog_lines = p.read_text(encoding="UTF-8").splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #bbf9e2ab56cd52eb Filesystem access.
pkgs/python/[email protected]/scripts/generate-gh-release-notes.py:61
    Path(filename).write_text(md_body, encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #466d78c2d9b66b36 Filesystem access.
pkgs/python/[email protected]/scripts/release.py:44
    template_text = (
        Path(__file__).parent.joinpath(template_name).read_text(encoding="UTF-8")
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d40187168d7d12e7 Filesystem access.
pkgs/python/[email protected]/scripts/release.py:54
    target.write_text(text, encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d74af7d67428cb19 Filesystem access.
pkgs/python/[email protected]/scripts/release.py:59
    lines = index_path.read_text(encoding="UTF-8").splitlines()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #e533f741eb1ad4e2 Filesystem access.
pkgs/python/[email protected]/scripts/release.py:66
                index_path.write_text("\n".join(lines) + "\n", encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #13da42686b86cf37 Environment-variable access.
pkgs/python/[email protected]/scripts/release.py:84
        env={**os.environ, "SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYTEST": version},

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6378e90a3aa3f515 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_argcomplete.py:102
if os.environ.get("_ARGCOMPLETE"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aefee65003d35765 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:37
    if os.environ.get("PY_COLORS") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #971bdcaf31192db0 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:39
    if os.environ.get("PY_COLORS") == "0":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1bb7cb31a884d8b8 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:41
    if os.environ.get("NO_COLOR"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ec54b23e6e8ff53 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:43
    if os.environ.get("FORCE_COLOR"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b8790b75fbbdb29 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:46
        hasattr(file, "isatty") and file.isatty() and os.environ.get("TERM") != "dumb"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f71dbd8a119f683 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:219
        theme = os.getenv("PYTEST_THEME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75f1d460b4923e68 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_io/terminalwriter.py:220
        theme_mode = os.getenv("PYTEST_THEME_MODE", "dark")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9857981f196394d0 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1137
                ignore = os.getenv("PY_IGNORE_IMPORTMISMATCH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c0702155b7843b9 Filesystem access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1152
                    with open(str(self), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c52c2e29929b052 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1208
                    paths = os.environ["Path"].split(";")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c0079c46e6e80e1 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1212
                        systemroot = os.environ["SYSTEMROOT"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #398b09e61636c5a9 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1220
                    paths = os.environ["PATH"].split(":")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00430e0513025bd5 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1223
                tryadd += os.environ["PATHEXT"].split(os.pathsep)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a53b0ccaa6157cc Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1242
            x = os.environ["HOME"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94154a5551cfec94 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1245
                x = os.environ["HOMEDRIVE"] + os.environ["HOMEPATH"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7e4bab7bae3bf44 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1416
            username = os.environ["USER"]  # linux, et al

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #711ecfb6bdd54d76 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/_py/path.py:1419
                username = os.environ["USERNAME"]  # windows

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a1ba055aba02580a Filesystem access.
pkgs/python/[email protected]/src/_pytest/assertion/rewrite.py:293
        with open(pathname, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc983ebd6146eed9 Filesystem access.
pkgs/python/[email protected]/src/_pytest/assertion/rewrite.py:326
        with open(proc_pyc, "wb") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8a2ae5e6d5fae501 Filesystem access.
pkgs/python/[email protected]/src/_pytest/assertion/rewrite.py:346
    source = fn.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73fdee27d045c2be Filesystem access.
pkgs/python/[email protected]/src/_pytest/assertion/rewrite.py:362
        fp = open(pyc, "rb")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #823a5966916f0b2d Environment-variable access.
pkgs/python/[email protected]/src/_pytest/cacheprovider.py:519
    if "TOX_ENV_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c64de20508aa89e8 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/cacheprovider.py:520
        cache_dir_default = os.path.join(os.environ["TOX_ENV_DIR"], cache_dir_default)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #383a4af1caef0ec2 Filesystem access.
pkgs/python/[email protected]/src/_pytest/capture.py:143
            open(os.dup(f.fileno()), mode, buffering),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #518e2e83e9f42b35 Filesystem access.
pkgs/python/[email protected]/src/_pytest/capture.py:489
            self.tmpfile = open(os.devnull, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #224a5c4cfb8dee0a Environment-variable access.
pkgs/python/[email protected]/src/_pytest/compat.py:315
    return any(os.environ.get(var) for var in env_vars)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2556d6a244171cfe Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:219
    old_pytest_version = os.environ.get("PYTEST_VERSION")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #50f9b770970b8dcc Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:221
        os.environ["PYTEST_VERSION"] = __version__

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c747c3579a0d19e Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:241
            os.environ.pop("PYTEST_VERSION", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab829ce435f8657b Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:243
            os.environ["PYTEST_VERSION"] = old_pytest_version

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8affa1cd7f6bab1f Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:501
        if os.environ.get("PYTEST_DEBUG"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99a24d6150347d5a Filesystem access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:505
                err = open(
                    os.dup(err.fileno()),
                    mode=err.mode,
                    buffering=1,
                    encoding=encoding,
                )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5d47184217844fc Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:874
        self._import_plugin_specs(os.environ.get("PYTEST_PLUGINS"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2e2bae33bc2c1550 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:1336
        ) or bool(os.environ.get("PYTEST_DISABLE_PLUGIN_AUTOLOAD"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e013b7b2dc94753 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:1523
            env_addopts = os.environ.get("PYTEST_ADDOPTS", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82ce1026c258d73f Environment-variable access.
pkgs/python/[email protected]/src/_pytest/config/__init__.py:1578
            not os.environ.get("PYTEST_DISABLE_PLUGIN_AUTOLOAD")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa20db5d75c29944 Filesystem access.
pkgs/python/[email protected]/src/_pytest/config/findpaths.py:102
        toml_text = filepath.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bb975e271ae1cc3 Filesystem access.
pkgs/python/[email protected]/src/_pytest/doctest.py:144
    contents = path.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73700244dcb24074 Filesystem access.
pkgs/python/[email protected]/src/_pytest/doctest.py:429
        text = self.path.read_text(encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95c9743bbd7f320c Filesystem access.
pkgs/python/[email protected]/src/_pytest/helpconfig.py:129
        debugfile = open(path, "w", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3a6d49d40b0b07f Filesystem access.
pkgs/python/[email protected]/src/_pytest/junitxml.py:652
        with open(self.logfile, "w", encoding="utf-8") as logfile:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c71d30b9b5ed8c0 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/monkeypatch.py:324
        if prepend and name in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90436dd6f19962c9 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/monkeypatch.py:325
            value = value + prepend + os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d774ac4e62dfb9d1 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/monkeypatch.py:326
        self.setitem(os.environ, name, value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db155abb9f8ab4b1 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/monkeypatch.py:334
        environ: MutableMapping[str, str] = os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #b52863097e419398 Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/src/_pytest/pastebin.py:91
            urlopen(url, data=urlencode(params).encode("ascii")).read().decode("utf-8")

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #bd395c1c67597e1e Environment-variable access.
pkgs/python/[email protected]/src/_pytest/pathlib.py:602
    ignore = os.environ.get("PY_IGNORE_IMPORTMISMATCH", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aa81bf56d7ac77ae Filesystem access.
pkgs/python/[email protected]/src/_pytest/pytester.py:790
            p.write_text(source.strip(), encoding=encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed09c6a8ae1f532d Environment-variable access.
pkgs/python/[email protected]/src/_pytest/pytester.py:1364
        env = os.environ.copy()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ced2a2644692c31 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/runner.py:215
        os.environ[var_name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57719722010dda01 Environment-variable access.
pkgs/python/[email protected]/src/_pytest/runner.py:217
        os.environ.pop(var_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0532985be37578ea Environment-variable access.
pkgs/python/[email protected]/src/_pytest/terminalprogress.py:28
    if reporter is not None and reporter.isatty() and os.environ.get("TERM") != "dumb":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dbdcfb05f4a469eb Environment-variable access.
pkgs/python/[email protected]/src/_pytest/tmpdir.py:161
            from_env = os.environ.get("PYTEST_DEBUG_TEMPROOT")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8cbe9cc2368fa16 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:378
            s1 = initpy.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #876e14d4e9ffe2c9 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:379
            s2 = copied.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f24120b55ee8d8fb Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:392
            s1 = otherdir.join("__init__.py").read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a7902b34d10593c0 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:393
            s2 = copied.join("__init__.py").read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40973618dd82a982 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:464
        stream = open(f, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcaf363a2012d5ef Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:478
    samplefile.write_text("samplefile\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3232d9440e002e58 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:481
    execfile.write_text("x=42", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ab63e04cb56d2e3 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:484
    execfilepy.write_text("x=42", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #80e8d15cf5752c32 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:496
    module_a.write_text("from .b import stuff as result\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b86edc9bd7a9060c Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:498
    module_b.write_text('stuff="got it"\n', encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #572bea8f2501c6fb Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:500
    module_c.write_text(
        """import py;
import otherdir.a
value = otherdir.a.result
""",
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b945f15e1f4121fc Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:508
    module_d.write_text(
        """import py;
from otherdir import a
value2 = a.result
""",
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #84e2b6d38141d916 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:551
        file_.write_text(f"{i}", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #199597c1771bb49d Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:552
        actual = int(file_.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #94979184d473b250 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:714
        assert p.read_text(encoding="utf-8") == "hello"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d9340e0f36c2baf Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:718
        p.write_text("hello", ensure=1, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25eb530772266b2d Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:719
        assert p.read_text(encoding="utf-8") == "hello"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3712be4ce2d464ef Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:786
        newfile.write_text("42", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f66056c14137d3b8 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:788
        s = newfile.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #febb0ae10ec99bee Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:822
        l1.write_text("foo", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31ed6ace1210c6cc Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:824
        assert l2.read_text(encoding="utf-8") == "foo"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81ea3ed3e982f9e8 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1300
        filepath.write_text("Hello", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b49d02312dd52db Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1307
        filepath.write_text("Hello", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00bbd8ccb351d0b7 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1315
        filepath.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a0a01093aceb1d1 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1324
        filepath.write_text("Hello", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7dd05c63ea98c5bb Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1327
        assert filepath.read_text(encoding="utf-8") == linkpath.read_text(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7817de48ab7e7bd1 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1327
        assert filepath.read_text(encoding="utf-8") == linkpath.read_text(
            encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5db7487c7ee3158e Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1362
        filepath.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c683096c4b24a46 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1493
            src.join(f).write_text(f, ensure=True, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db443e0c7d62fd19 Environment-variable access.
pkgs/python/[email protected]/testing/_py/test_local.py:1528
        if "LANG" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ccb739db6cf9924f Environment-variable access.
pkgs/python/[email protected]/testing/_py/test_local.py:1536
        if "LANG" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #24477d89e187ad93 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1561
        s = x.read_text(encoding="utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #37b50abcc36d4fa4 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1569
        x.write_text(part, encoding="utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #823e13fcbf6781f3 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1571
        assert x.read_text(encoding="utf8") == part

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #413b6aed55d76777 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1577
        x.write_text(part, "ascii")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ba18f354d0a0db05 Filesystem access.
pkgs/python/[email protected]/testing/_py/test_local.py:1578
        s = x.read_text("ascii")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #60d26e7b595c36e5 Environment-variable access.
pkgs/python/[email protected]/testing/acceptance_test.py:22
    cur = os.getenv("PYTHONPATH")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a9425c28fbcea5ab Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:279
        sub1.joinpath("conftest.py").write_text("assert 0", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e6cd703b8412b2b6 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:518
        p.write_text("def test_foo(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #32d9d02041b2b5c6 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:663
        path.joinpath("test_hello.py").write_text("raise ImportError", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1c40e37bf8738b50 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:672
        pkg.joinpath("test_foo.py").write_text(
            "print('hello from test_foo')\ndef test(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #79ddd328760b7caf Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:675
        pkg.joinpath("conftest.py").write_text(
            "def pytest_configure(config): print('configuring')", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f3cf3150e2dd325 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:689
        pytester.path.joinpath("t.py").write_text("def test(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d337e96deb865aca Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:698
        path.joinpath("test_hello.py").write_text(
            "def test_hello(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9b93914f0774b53 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:701
        path.joinpath("test_world.py").write_text(
            "def test_world(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b687b742b6de866c Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:745
            ns.joinpath("__init__.py").write_text(
                "__import__('pkg_resources').declare_namespace(__name__)",
                encoding="utf-8",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #10a9269edf4d59b6 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:752
            lib.joinpath(f"test_{dirname}.py").write_text(
                f"def test_{dirname}(): pass\ndef test_other():pass",
                encoding="utf-8",
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f4fc37638024d8a Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:839
        lib.joinpath("test_bar.py").write_text(
            "def test_bar(): pass\ndef test_other(a_fixture):pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ae201d065f1c85b0 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:842
        lib.joinpath("conftest.py").write_text(
            "import pytest\[email protected]\ndef a_fixture():pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26f4db25d87d0927 Filesystem access.
pkgs/python/[email protected]/testing/acceptance_test.py:1447
    fullXml = pytester.path.joinpath("output.xml").read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #faabd43854ebaa1f Filesystem access.
pkgs/python/[email protected]/testing/code/test_excinfo.py:399
    tmp_path.joinpath("test.txt").write_text("{{ h()}}:", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc51c859495559bd Filesystem access.
pkgs/python/[email protected]/testing/code/test_excinfo.py:596
            modpath.write_text(source, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c4e32b6f3ef4376 Filesystem access.
pkgs/python/[email protected]/testing/code/test_excinfo.py:1252
        tmp_path.joinpath("mod.py").write_text("asdf", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40f633c0bb9fd0c0 Filesystem access.
pkgs/python/[email protected]/testing/code/test_source.py:298
    path.write_text(str(source), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bfd9c3c041def3ee Filesystem access.
pkgs/python/[email protected]/testing/example_scripts/customdirectory/conftest.py:13
        manifest = json.loads(manifest_path.read_text(encoding="utf-8"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef3b65e25e555b74 Filesystem access.
pkgs/python/[email protected]/testing/example_scripts/perf_examples/collect_stats/generate_folders.py:9
TEST_CONTENT = (HERE / "template_test.py").read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d55ba1670abbccc5 Filesystem access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:75
            f = open(str(p), "w+", encoding="utf8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90f15f8234a11d7b Filesystem access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:80
                with open(str(p), encoding="utf8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68205749260ee5ac Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:188
    monkeypatch.setitem(os.environ, "PY_COLORS", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af839a0d2fe74d2d Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:193
    monkeypatch.setitem(os.environ, "PY_COLORS", "0")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ed53d46c00294212 Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:198
    monkeypatch.setitem(os.environ, "NO_COLOR", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #599c811dcfcce1fd Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:203
    monkeypatch.setitem(os.environ, "FORCE_COLOR", "1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d9dfe2bc02cd95f Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:221
    monkeypatch.setitem(os.environ, "NO_COLOR", NO_COLOR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69c660b678b464b4 Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:222
    monkeypatch.setitem(os.environ, "FORCE_COLOR", FORCE_COLOR)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1d6dd8c14b430d2c Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:228
    monkeypatch.setitem(os.environ, "NO_COLOR", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43610f4c3c81e037 Environment-variable access.
pkgs/python/[email protected]/testing/io/test_terminalwriter.py:229
    monkeypatch.setitem(os.environ, "FORCE_COLOR", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #11cbdf5d515d2b70 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:87
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33ec4e85a40e6a95 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:661
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #46eb634341b969cd Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:684
    with open(log_file, mode="w", encoding="utf-8") as wfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec1e810e7ab2e0bd Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:700
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a709d1e58830afa Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:759
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf9182585d94ec55 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:808
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f0f668f8fe02c2b Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:838
    with open(log_file, mode="w", encoding="utf-8") as wfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb9075c25f31d1a8 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:848
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f11c7a5e40878bb2 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:886
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6205ad579a2f41c1 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:918
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a616f37eb1236ce Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1055
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d284f740fea51a8 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1089
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #647b24fbe9d9a2f8 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1123
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bab47123ef8abba5 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1165
    with open(os.path.join(report_dir_base, "test_first"), encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4702bd9cdafff90a Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1169
    with open(os.path.join(report_dir_base, "test_second"), encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0f4cb3b172ec15a9 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1214
    with open(test_first_log_file, mode="w", encoding="utf-8") as wfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #43f16738fd9c516d Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1217
    with open(test_second_log_file, mode="w", encoding="utf-8") as wfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d04b655adc25f7ad Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1223
    with open(test_first_log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #710331ebcb85bf2a Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1228
    with open(test_second_log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ded6923416763352 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1553
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7c2290c503512d14 Filesystem access.
pkgs/python/[email protected]/testing/logging/test_reporting.py:1574
    with open(log_file, encoding="utf-8") as rfh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d00b662f9a1fd638 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:57
        p.write_text(
            textwrap.dedent(
                f"""\
                import x456
                def test():
                    assert x456.__file__.startswith({str(root2)!r})
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83fe83abb440aba6 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:929
        b.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.hookimpl(wrapper=True)
                def pytest_pycollect_makemodule():
                    mod = yield
                    mod.obj.hello = "world"
                    return mod
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2078bb72472b2f2c Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:942
        b.joinpath("test_module.py").write_text(
            textwrap.dedent(
                """\
                def test_hello():
                    assert hello == "world"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #536855d987329533 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:957
        b.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.hookimpl(wrapper=True)
                def pytest_pycollect_makeitem():
                    result = yield
                    if result:
                        for func in result:
                            func._some123 = "world"
                    return result
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #62db4ea078ca536d Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:972
        b.joinpath("test_module.py").write_text(
            textwrap.dedent(
                """\
                import pytest

                @pytest.fixture()
                def obj(request):
                    return request.node._some123
                def test_hello(obj):
                    assert obj == "world"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #424b92fcbaa40cb8 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1073
    sub1.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest
            def pytest_runtest_setup(item):
                assert item.path.stem == "test_in_sub1"
            def pytest_runtest_call(item):
                assert item.path.stem == "test_in_sub1"
            def pytest_runtest_teardown(item):
                assert item.path.stem == "test_in_sub1"
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #347fbb099dea033e Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1087
    sub2.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest
            def pytest_runtest_setup(item):
                assert item.path.stem == "test_in_sub2"
            def pytest_runtest_call(item):
                assert item.path.stem == "test_in_sub2"
            def pytest_runtest_teardown(item):
                assert item.path.stem == "test_in_sub2"
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4fe286ca168e0fa8 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1101
    sub1.joinpath("test_in_sub1.py").write_text("def test_1(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #568287f44ad714cf Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1102
    sub2.joinpath("test_in_sub2.py").write_text("def test_2(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25204fba5381ae39 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1484
    fh.write_text(
        textwrap.dedent(
            """\
            import pytest
            def test_real():
                pass
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aece902ee1b523e0 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1505
    fh.write_text(
        textwrap.dedent(
            """\
            import pytest
            def test_real():
                pass
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c1f6dfdc2313f1a Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1563
    sub1_test.joinpath("test_in_sub1.py").write_text(
        "def test_1(): pass", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c7d3128af3eee7f Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1566
    sub2_test.joinpath("test_in_sub2.py").write_text(
        "def test_2(): pass", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #05b0417901153f49 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1612
    root.joinpath("Test_root.py").write_text("def test_1(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #951122aa377049f1 Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1613
    sub1.joinpath("Test_sub1.py").write_text("def test_2(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dc706211171c0f7d Filesystem access.
pkgs/python/[email protected]/testing/python/collect.py:1614
    sub2_test.joinpath("test_sub2.py").write_text(
        "def test_3(): pass", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8e40bc893b675d9 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:311
        subdir.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest

                @pytest.fixture
                def spam():
                    return 'spam'
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c40bbea81803733 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:324
        testfile.write_text(
            textwrap.dedent(
                """\
                def test_spam(spam):
                    assert spam == "spam"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5556124a812077cd Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:385
        subdir.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest

                @pytest.fixture(params=[1, 2, 3])
                def spam(request):
                    return request.param
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c659f2b5e4536f6 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:398
        testfile.write_text(
            textwrap.dedent(
                """\
                params = {'spam': 1}

                def test_spam(spam):
                    assert spam == params['spam']
                    params['spam'] += 1
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3617ec66d9af7d2f Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:431
        subdir.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest

                @pytest.fixture(params=[1, 2, 3])
                def spam(request):
                    return request.param
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db986afb84506f90 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:444
        testfile.write_text(
            textwrap.dedent(
                """\
                params = {'spam': 1}

                def test_spam(spam):
                    assert spam == params['spam']
                    params['spam'] += 1
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33b2dad5147919cd Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:1233
        b.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.fixture
                def arg1():
                    pass
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4fc883b8ed6149d Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:1245
        p.write_text("def test_func(arg1): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7999f92d845caf7d Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:1958
        package.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
            import pytest
            @pytest.fixture
            def one():
                return 1
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e9c1add84741847 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:1969
        package.joinpath("test_x.py").write_text(
            textwrap.dedent(
                """\
                def test_x(one):
                    assert one == 1
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc630951ee94fe5d Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:1981
        sub.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.fixture
                def one():
                    return 2
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5680ec6e96aa8a7a Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:1992
        sub.joinpath("test_y.py").write_text(
            textwrap.dedent(
                """\
                def test_x(one):
                    assert one == 2
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd27d952c26dbed1 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2015
        package.joinpath("__init__.py").write_text(
            textwrap.dedent(
                """\
                from .. import values
                def setup_module():
                    values.append("package")
                def teardown_module():
                    values[:] = []
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #203bc4f31ff2036b Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2027
        package.joinpath("test_x.py").write_text(
            textwrap.dedent(
                """\
                from .. import values
                def test_x():
                    assert values == ["package"]
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cbe384199c405f1b Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2038
        package.joinpath("__init__.py").write_text(
            textwrap.dedent(
                """\
                from .. import values
                def setup_module():
                    values.append("package2")
                def teardown_module():
                    values[:] = []
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9f31d3c41324fcac Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2050
        package.joinpath("test_x.py").write_text(
            textwrap.dedent(
                """\
                from .. import values
                def test_x():
                    assert values == ["package2"]
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #58cf6471ec744e92 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2071
        package.joinpath("__init__.py").write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cd4375b777dc3ff Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2072
        package.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                from .. import values
                @pytest.fixture(scope="package")
                def one():
                    values.append("package")
                    yield values
                    values.pop()
                @pytest.fixture(scope="package", autouse=True)
                def two():
                    values.append("package-auto")
                    yield values
                    values.pop()
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1cb79d2d67188a5 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2091
        package.joinpath("test_x.py").write_text(
            textwrap.dedent(
                """\
                from .. import values
                def test_package_autouse():
                    assert values == ["package-auto"]
                def test_package(one):
                    assert values == ["package-auto", "package"]
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ee7b708a941f384e Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2251
        a.joinpath("test_something.py").write_text(
            "def test_func(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1f7fc12b5e397635 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2254
        b.joinpath("test_otherthing.py").write_text(
            "def test_func(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8ca0e5ff2d20bee Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2293
        pkgdir.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.fixture(autouse=True)
                def app():
                    import sys
                    sys._myapp = "hello"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6c0226fd097335b8 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:2309
        t.write_text(
            textwrap.dedent(
                """\
                import sys
                def test_app():
                    assert sys._myapp == "hello"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26f9044cab20507a Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:3340
        b.joinpath("test_overridden_fixture_finalizer.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.fixture
                def browser(browser):
                    browser['visited'] = True
                    return browser

                def test_browser(browser):
                    assert browser['visited'] is True
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6b9aeeaf8a9e6c57 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4318
        fixfile.write_text(
            textwrap.dedent(
                """\
                import pytest

                @pytest.fixture(params=[0, 1, 2])
                def fix_with_param(request):
                    return request.param
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0bdcfda5cdf70066 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4332
        testfile.write_text(
            textwrap.dedent(
                """\
                from fix import fix_with_param

                def test_foo(request):
                    request.getfixturevalue('fix_with_param')
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5fd94a545766051 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4837
        root.joinpath("__init__.py").write_text("values = []", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #acea40a8a95c1d61 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4841
        sub1.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
            import pytest
            from .. import values
            @pytest.fixture(scope="package")
            def fix():
                values.append("pre-sub1")
                yield values
                assert values.pop() == "pre-sub1"
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e6d94317a23cc66 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4855
        sub1.joinpath("test_1.py").write_text(
            textwrap.dedent(
                """\
            from .. import values
            def test_1(fix):
                assert values == ["pre-sub1"]
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #741bea0c4982f483 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4868
        sub2.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
            import pytest
            from .. import values
            @pytest.fixture(scope="package")
            def fix():
                values.append("pre-sub2")
                yield values
                assert values.pop() == "pre-sub2"
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21151e97cf245f18 Filesystem access.
pkgs/python/[email protected]/testing/python/fixtures.py:4882
        sub2.joinpath("test_2.py").write_text(
            textwrap.dedent(
                """\
            from .. import values
            def test_2(fix):
                assert values == ["pre-sub2"]
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb189025fbf7db50 Filesystem access.
pkgs/python/[email protected]/testing/python/metafunc.py:1585
        sub1.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                def pytest_generate_tests(metafunc):
                    assert metafunc.function.__name__ == "test_1"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5937afee9b595770 Filesystem access.
pkgs/python/[email protected]/testing/python/metafunc.py:1594
        sub2.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                def pytest_generate_tests(metafunc):
                    assert metafunc.function.__name__ == "test_2"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #605a54e3e66b7cf4 Filesystem access.
pkgs/python/[email protected]/testing/python/metafunc.py:1603
        sub1.joinpath("test_in_sub1.py").write_text(
            "def test_1(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8d2d3b997a0c6fd Filesystem access.
pkgs/python/[email protected]/testing/python/metafunc.py:1606
        sub2.joinpath("test_in_sub2.py").write_text(
            "def test_2(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eb7949cd75be271d Filesystem access.
pkgs/python/[email protected]/testing/test_assertion.py:1879
    a.joinpath("test_a.py").write_text("def test_a(): assert 1 == 2", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9e244efa6c0a322a Filesystem access.
pkgs/python/[email protected]/testing/test_assertion.py:1880
    a.joinpath("conftest.py").write_text(
        'def pytest_assertrepr_compare(): return ["summary a"]', encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b7b93b962d28ff1d Filesystem access.
pkgs/python/[email protected]/testing/test_assertion.py:1884
    b.joinpath("test_b.py").write_text("def test_b(): assert 1 == 2", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f0a4a08726ca0bd Filesystem access.
pkgs/python/[email protected]/testing/test_assertion.py:1885
    b.joinpath("conftest.py").write_text(
        'def pytest_assertrepr_compare(): return ["summary b"]', encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #589377aec10dd655 Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:361
        pkgdir.joinpath("__init__.py").write_text(
            "import pytest\n"
            "@pytest.fixture\n"
            "def special_asserter():\n"
            "    def special_assert(x, y):\n"
            "        assert x == y\n"
            "    return special_assert\n",
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8898037a192ae988 Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:381
        xdir.joinpath("test_Y").joinpath("__init__.py").write_text(
            "x = 2", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fb4222193f9d4dd Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:998
        pytester.path.joinpath("__pycache__").write_text("Hello", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ad73943bfe7589ec Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:1172
        pkg.joinpath("test_blah.py").write_text(
            """
def test_rewritten():
    assert "@py_builtins" in globals()""",
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99cfb1ac6be75c4c Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:1356
        source.write_text("def test(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #77cb7d2709e5d111 Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:1359
        contents = pyc.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #081758b75c573459 Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:1382
        fn.write_text("def test(): assert True", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c0847cab8e2b92a Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:1468
        path.joinpath("test_foo.py").write_text(
            textwrap.dedent(
                """\
                class Test(object):
                    def test_foo(self):
                        import pkgutil
                        data = pkgutil.get_data('foo.test_foo', 'data.txt')
                        assert data == b'Hey'
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #45ed7383956aa4e4 Filesystem access.
pkgs/python/[email protected]/testing/test_assertrewrite.py:1480
        path.joinpath("data.txt").write_text("Hey", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8f18e20de1ee72b2 Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:64
        pytester.path.joinpath(".pytest_cache").write_text(
            "gone wrong", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71963cb688620456 Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:1167
        p1.write_text(
            "def test_1(): assert 1\ndef test_2(): assert 1\n", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cfd8be50e36c351e Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:1239
        p1.write_text(
            "import pytest\n"
            "@pytest.mark.parametrize('num', [1, 2, 3])\n"
            "def test_1(num): assert num\n",
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #73e623ef19332cca Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:1308
    assert gitignore_path.read_text(encoding="UTF-8") == msg

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #331fd08ceb22c820 Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:1311
    gitignore_path.write_text("custom", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a5c9efb9c421f81 Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:1318
    assert gitignore_path.read_text(encoding="UTF-8") == "custom"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a32136895f213d02 Filesystem access.
pkgs/python/[email protected]/testing/test_cacheprovider.py:1359
    assert cachedir_tag_path.read_bytes() == CACHEDIR_FILES["CACHEDIR.TAG"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7a0a62588b8f0caa Filesystem access.
pkgs/python/[email protected]/testing/test_capture.py:796
    sub1.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            def pytest_runtest_setup(item):
                raise ValueError(42)
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2b364fa008c6426f Filesystem access.
pkgs/python/[email protected]/testing/test_capture.py:805
    sub1.joinpath("test_mod.py").write_text("def test_func1(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #535eead4b5c0fc10 Filesystem access.
pkgs/python/[email protected]/testing/test_capture.py:1092
        with open(tmpfile.name, "rb") as stmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88840029da234d5f Filesystem access.
pkgs/python/[email protected]/testing/test_capture.py:1624
    with open("caplog", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d2974e75408266e Filesystem access.
pkgs/python/[email protected]/testing/test_capture.py:1631
    with open("capstdout", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #657a9148a4fd8601 Filesystem access.
pkgs/python/[email protected]/testing/test_collect_imported_tests.py:16
    src_file.write_text(
        textwrap.dedent("""\
            class Testament:
                def test_collections(self):
                    pass

            def test_testament(): pass
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #225b0d228fa55c22 Filesystem access.
pkgs/python/[email protected]/testing/test_collect_imported_tests.py:28
    test_file.write_text(
        textwrap.dedent("""\
            from foo import Testament, test_testament

            class TestDomain:
                def test(self):
                    testament = Testament()
                    assert testament
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #36479c176842ff53 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:151
            x.write_text("def test_hello(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a42076e019c7ef0 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:170
        testfile.write_text("def test_hello(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4c56bce07c926eb Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:189
        testfile.write_text("def test_hello(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c9ddb767ebb40a99 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:214
        ensure_file(tmp_path / "mydir" / "test_hello.py").write_text(
            "def test_1(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef9b8713603f173c Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:217
        ensure_file(tmp_path / "xyz123" / "test_2.py").write_text(
            "def test_2(): 0/0", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d01dc73483685247 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:220
        ensure_file(tmp_path / "xy" / "test_ok.py").write_text(
            "def test_3(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2d9d71e6c27726cd Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:236
        ensure_file(tmp_path / "a" / "test_1.py").write_text(
            "def test_a(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a661a0104c8f1606 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:239
        ensure_file(tmp_path / "b" / "tests" / "test_2.py").write_text(
            "def test_b(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6310cd4232593b1f Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:242
        ensure_file(tmp_path / "c" / "tests" / "test_3.py").write_text(
            "def test_c(): pass", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #615e7489dea9dd51 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:378
        ensure_file(sub / "test_hello.py").write_text("syntax error", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c7433f3ff57783e Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:379
        sub.joinpath("conftest.py").write_text("syntax error", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97c06e14e49c3d1b Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1138
    foo_path.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest
            @pytest.fixture
            def fix():
                return 1
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #881840f609eaabbd Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1149
    foo_path.joinpath("test_foo.py").write_text(
        "def test_foo(fix): assert fix == 1", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bcbdf3785e26eb0c Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1155
    food_path.joinpath("test_food.py").write_text(
        "def test_food(fix): assert fix == 1", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ff3377c6a0dbfc40 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1295
    pytester.path.joinpath("conftest.py").write_text(
        textwrap.dedent(
            f"""
            import os
            os.chdir({str(subdir)!r})
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #672536ec679ed0ca Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1331
    testmod.joinpath("__init__.py").write_text(
        "def test_func(): pass", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c07e1db055795e78 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1334
    testmod.joinpath("test_file.py").write_text(
        "def test_func(): pass", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5a8fc8b6f873c983 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1339
    root.joinpath("pytest.ini").write_text(
        textwrap.dedent(
            """
        [pytest]
        addopts = --pyargs
        testpaths = testmod
    """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c6192085b9e68c94 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1359
    p.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """
            def pytest_sessionstart(session):
                raise Exception("pytest_sessionstart hook successfully run")
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41f1005b0e25932f Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1425
    real.write_text(
        textwrap.dedent(
            """
        def test_nodeid(request):
            # Should not contain sub/ prefix.
            assert request.node.nodeid == "test_real.py::test_nodeid"
        """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #270dfbe99286b810 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1453
    dir.joinpath("test_it.py").write_text("def test_it(): pass", "utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0406317c980bfd50 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1462
    tests.joinpath("conftest.py").write_text(
        "collect_ignore = ['ignore_me']", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a33b90aaa2cd9b49 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1469
    ignore_me.joinpath("conftest.py").write_text(
        "assert 0, 'should_not_be_called'", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #678c9c3377438e98 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1480
    init.write_text("def test_init(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #495f26cdfa5b3849 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1482
    p.write_text("def test_file(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2a22777b59e6b602 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1517
    init.write_text("def test_init(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6fc214367a0270aa Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1535
    sub.joinpath("test_file.py").write_text("def test_file(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5231a42c9b9314b Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1573
    pydir.joinpath("__init__.py").write_text("assert False", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5947e1019006000d Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1780
    test_file.write_text("def test(): pass", encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5c9caa33fcf07caa Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1803
    (target / "test_chain.py").write_text("def test_chain(): pass", encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec5fab6667d2918c Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1880
    tmp_path.joinpath("test_foo.py").write_text("def test(): pass", encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59911900e6878f7d Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1905
    ensure_file(pytester.path / "test_eggs.py").write_text(
        f"print('{head}')", encoding="UTF-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b388fb9a2624bd7c Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1908
    ensure_file(pytester.path / "test_ham.py").write_text(
        f"raise {exception_class.__name__}()", encoding="UTF-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #670535ac5407d827 Filesystem access.
pkgs/python/[email protected]/testing/test_collection.py:1911
    ensure_file(pytester.path / "test_spam.py").write_text(
        f"print('{tail}')", encoding="UTF-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1af4e2d063b2276 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:54
        (tmp_path / filename).write_text(
            textwrap.dedent(
                f"""\
                [{section}]
                name = value
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #322017f721400936 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:87
        tmp_path.joinpath("pytest.ini").write_text(
            textwrap.dedent(
                """\
                [pytest]
                addopts = --verbose
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9b2d9331e7c82e96 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:141
        pytester.path.joinpath(name).write_text(
            textwrap.dedent(
                f"""
            [{section}]
            minversion = 3.36
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #59c3d4760a40e1f0 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:155
        pytester.path.joinpath(name).write_text(
            textwrap.dedent(
                """
            [pytest]
            minversion = "3.36"
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d35ec0dd1bca4a87 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:216
        pytest_toml.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95c6860ee7138bb3 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:288
        sub.joinpath("tox.ini").write_text(
            textwrap.dedent(
                """
            [pytest]
            minversion = 2.0
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cc8b9caf9539c4c Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:297
        pytester.path.joinpath("pytest.ini").write_text(
            textwrap.dedent(
                """
            [pytest]
            minversion = 1.5
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5df41dd8ffccbe43 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:310
        pytester.path.joinpath("pytest.ini").write_text(
            "addopts = -x", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #93da0d5db90be309 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:328
        pytester.path.joinpath("pytest.toml").write_text(
            """
            \\"
            """,
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c34151143ae50be9 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:834
        p.write_text(f"mylist = {['.', str(somepath)]}", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #19fde3c7c1319154 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:1426
        p1.write_text(
            textwrap.dedent(
                """\
                [pytest]
                name = value
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0bdd3e2b46ff96c Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:1443
        p2.write_text(
            textwrap.dedent(
                """\
                [pytest]
                name = wrong-value
                should_not_be_set = true
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88d28db3283dfe07 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:1935
        inipath.write_text(contents, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d886a93c85aad3e Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2027
        p.write_text(contents, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e0419d41c1bc7359 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2142
        (tmp_path / "setup.cfg").write_text("[tool:pytest]\n", "utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d05bb4a3e2a257a3 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2144
        (tmp_path / "myproject" / "setup.cfg").write_text("[tool:pytest]\n", "utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4710b0f40dd845ac Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2164
        pytester.path.joinpath(name).write_text(
            textwrap.dedent(
                f"""
            {section}
            custom = 1.0"""
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bceb41e40e4063ee Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2818
        tmp_path.joinpath("pytest.ini").write_text(
            textwrap.dedent(
                """\
                [pytest]
                addopts = --verbose
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #34764f1fd62837e0 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2839
        tmp_path.joinpath("pytest.ini").write_text(
            textwrap.dedent(
                """\
                [pytest]
                addopts = --verbose
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91c3ca534d6d6e44 Filesystem access.
pkgs/python/[email protected]/testing/test_config.py:2858
        tmp_path.joinpath("pytest.ini").write_text(
            textwrap.dedent(
                f"""\
                [pytest]
                addopts = --verbose
                {setting_name} = {TestVerbosity.SOME_OUTPUT_VERBOSITY_LEVEL}
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #155e77a1d318dd1b Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:49
        tmp_path.joinpath("adir/conftest.py").write_text(
            "a=1 ; Directory = 3", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6606c8a96b9c5943 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:52
        tmp_path.joinpath("adir/b/conftest.py").write_text(
            "b=2 ; a = 1.5", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #28934b139ce14e4d Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:134
    tmp_path.joinpath("adir-1.0/conftest.py").write_text(
        "a=1 ; Directory = 3", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d05cd31f51b60ca9 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:137
    tmp_path.joinpath("adir-1.0/b/conftest.py").write_text(
        "b=2 ; a = 1.5", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d41748b14a47b615 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:270
    x.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            def pytest_addoption(parser):
                parser.addoption("--xyz", action="store_true")
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ce1f9477874d1bf0 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:298
    tmp_path.joinpath("foo", "conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest
            @pytest.fixture
            def fix(): return None
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9912e68c48323130 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:308
    tmp_path.joinpath("foo", "test_it.py").write_text(
        "def test_it(fix): pass", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1666c3b69beecd46 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:429
    x.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            def pytest_addoption(parser):
                parser.addoption("--xyz", action="store_true")
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf9d8029f74fa8bc Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:469
    ct2.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #98aee253a014c77d Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:493
    sub.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest

            @pytest.fixture
            def not_needed():
                assert False, "Should not be called!"

            @pytest.fixture
            def foo():
                assert False, "Should not be called!"

            @pytest.fixture
            def bar(foo):
                return 'bar'
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #326ab1c6a0490472 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:516
    subsub.joinpath("test_bar.py").write_text(
        textwrap.dedent(
            """\
            import pytest

            @pytest.fixture
            def bar():
                return 'sub bar'

            def test_event_fixture(bar):
                assert bar == 'sub bar'
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3118b8f314e2be5 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:537
    sub.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            def pytest_addoption(parser):
                parser.addoption("--hello-world", action="store_true")
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d131f61f0df14aa6 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:547
    p.write_text("def test_hello(): pass", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6561954ab70a4aeb Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:563
        package.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.fixture
                def fxtr():
                    return "from-package"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4a79e672a34c640 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:574
        package.joinpath("test_pkgroot.py").write_text(
            textwrap.dedent(
                """\
                def test_pkgroot(fxtr):
                    assert fxtr == "from-package"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8174175d14f17064 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:587
        swc.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
                import pytest
                @pytest.fixture
                def fxtr():
                    return "from-swc"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f5f40a35214a6cf6 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:598
        swc.joinpath("test_with_conftest.py").write_text(
            textwrap.dedent(
                """\
                def test_with_conftest(fxtr):
                    assert fxtr == "from-swc"
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f33425427562438b Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:611
        snc.joinpath("test_no_conftest.py").write_text(
            textwrap.dedent(
                """\
                def test_no_conftest(fxtr):
                    assert fxtr == "from-package"   # No local conftest.py, so should
                                                    # use value from parent dir's
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b1a002586e370cc Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:685
    src.joinpath("pytest.ini").write_text("[pytest]", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cca6ef0bbc49b64a Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:686
    src.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest
            @pytest.fixture
            def fix1(): pass
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e37e3b8f4646e42c Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:696
    src.joinpath("test_foo.py").write_text(
        textwrap.dedent(
            """\
            def test_1(fix1):
                pass
            def test_2(out_of_reach):
                pass
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #efb9b412621bb0aa Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:707
    root.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            import pytest
            @pytest.fixture
            def out_of_reach(): pass
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d852a9030c85fae7 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:811
    sdk.joinpath("pyproject.toml").write_text(
        textwrap.dedent("""\
            [tool.pytest.ini_options]
            testpaths = ["../tests/sdk"]
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #070455d188a60e35 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:821
    tests_sdk.joinpath("conftest.py").write_text(
        textwrap.dedent("""\
            import pytest

            @pytest.fixture(autouse=True)
            def outer_fixture():
                pass
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b167c7dea39b912 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:831
    tests_sdk.joinpath("test_outer.py").write_text(
        textwrap.dedent("""\
            def test_outer(request):
                fixturenames = request.fixturenames
                assert "outer_fixture" in fixturenames
                assert "inner_fixture" not in fixturenames
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #189d8bd026fe2f8d Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:843
    inner.joinpath("conftest.py").write_text(
        textwrap.dedent("""\
            import pytest

            @pytest.fixture(autouse=True)
            def inner_fixture():
                pass
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c0a9d740d54547f Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:853
    inner.joinpath("test_inner.py").write_text(
        textwrap.dedent("""\
            def test_inner(request):
                fixturenames = request.fixturenames
                assert "outer_fixture" in fixturenames
                assert "inner_fixture" in fixturenames
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1b51c6faf334a77 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:887
    root.joinpath("conftest.py").write_text(
        textwrap.dedent("""\
            import pytest

            @pytest.fixture
            def ancestor_fixture():
                return "from-ancestor"
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1514f49d19ace2e5 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:899
    sub.joinpath("pyproject.toml").write_text(
        "[tool.pytest.ini_options]\n", encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #57f1ca48d2db0ec5 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:902
    sub.joinpath("test_it.py").write_text(
        textwrap.dedent("""\
            def test_uses_ancestor(ancestor_fixture):
                assert ancestor_fixture == "from-ancestor"
        """),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #178bc02d391043e8 Filesystem access.
pkgs/python/[email protected]/testing/test_conftest.py:917
    x.joinpath("conftest.py").write_text(
        textwrap.dedent(
            """\
            def pytest_addoption(parser):
                parser.addoption("--xyz", action="store_true", required=True)
            """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db33c1380ddc303a Filesystem access.
pkgs/python/[email protected]/testing/test_debugging.py:387
        sub_dir.joinpath("conftest").with_suffix(".py").write_text(
            "import unknown", "utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a24ddc7e929ac70c Filesystem access.
pkgs/python/[email protected]/testing/test_debugging.py:390
        sub_dir.joinpath("test_file").with_suffix(".py").write_text(
            "def test_func(): pass", "utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #06a787b32ffb9e19 Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:201
        fn.write_text(doctest, encoding=encoding)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bf9f70fbd66c951e Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:350
        pytester.path.joinpath("hello.py").write_text(
            textwrap.dedent(
                """\
                class Fun(object):
                    @property
                    def test(self):
                        '''
                        >>> a = 1
                        >>> 1/0
                        '''
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d660c5587af6ba18 Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:448
        pytester.path.joinpath("hello.py").write_text(
            textwrap.dedent(
                """\
                import asdalsdkjaslkdjasd
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7753310ac652a87d Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:506
        p.joinpath("__init__.py").write_text(
            textwrap.dedent(
                """\
                def somefunc():
                    '''
                        >>> i = 0
                        >>> i + 1
                        2
                    '''
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #012a55d293b77d4a Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:1365
        assert Path("out").read_text("utf-8").split() == ["RUN"] * 2

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fa1719a16bf242f4 Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:1687
    not_setup_py.write_text(
        'from setuptools import setup; setup(name="foo")', encoding="utf-8"
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #90ff67efd32e5cf9 Filesystem access.
pkgs/python/[email protected]/testing/test_doctest.py:1696
    setup_py.write_text(f'from {mod} import setup; setup(name="foo")', "utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #02847f5f2f581b1b Environment-variable access.
pkgs/python/[email protected]/testing/test_faulthandler.py:82
                bool(os.environ.get("CI"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #23b6337e22e16f4f Environment-variable access.
pkgs/python/[email protected]/testing/test_faulthandler.py:123
    "CI" in os.environ and sys.platform == "linux" and sys.version_info >= (3, 14),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ad267a08d734366 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:22
        fn.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e04430f94aeb99da Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:28
        fn.write_text("[pytest]\nx=1", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef6f4f8c6e5f1ace Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:36
        fn.write_text("[pytest]\nx=1", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #030fef3fd5923611 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:44
        fn.write_text("[custom]", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7553f2add49da232 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:50
        fn.write_text("[custom]", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdc098c578dd427c Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:56
        fn.write_text("[tool:pytest]\nx=1", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7918515cfa067a77 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:64
        fn.write_text("[pytest]", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ca4b4011865beac6 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:71
        fn.write_text("]invalid toml[", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25055dd818418d8c Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:78
        fn.write_text(
            dedent(
                """
            [build_system]
            x = 1
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6951d436bd336995 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:93
        fn.write_text(
            dedent(
                """
            [tool.pytest.ini_options]
            x = 1
            y = 20.0
            values = ["tests", "integration"]
            name = "foo"
            heterogeneous_array = [1, "str"]
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #75a63000af981056 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:117
        fn.write_text(
            dedent(
                """
                [tool.pytest]
                minversion = "7.0"
                xfail_strict = true
                testpaths = ["tests", "integration"]
                python_files = ["test_*.py", "*_test.py"]
                verbosity_assertions = 2
                maxfail = 5
                timeout = 300.5
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a45d90a81002df91 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:150
        fn.write_text(
            dedent(
                """
            [tool.pytest]
            xfail_strict = true

            [tool.pytest.ini_options]
            minversion = "7.0"
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #530cf4c4b42eb9c9 Filesystem access.
pkgs/python/[email protected]/testing/test_findpaths.py:168
        fn.write_text("", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #14943ee0bd4a15a7 Filesystem access.
pkgs/python/[email protected]/testing/test_helpconfig.py:129
    assert "pytest_sessionstart" in p.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5834397d7a40b22 Filesystem access.
pkgs/python/[email protected]/testing/test_junitxml.py:542
        p.write_text("def test_func(): 0/0", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c04c1fd7ceb35d39 Filesystem access.
pkgs/python/[email protected]/testing/test_junitxml.py:1058
        pytester.path.joinpath("myfile.xyz").write_text("hello", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2151238910c8d000 Filesystem access.
pkgs/python/[email protected]/testing/test_junitxml.py:1084
    text = xmlf.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6e682cbd9884232c Filesystem access.
pkgs/python/[email protected]/testing/test_junitxml.py:1106
    text = xmlf.read_text(encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #287e177b011f657f Filesystem access.
pkgs/python/[email protected]/testing/test_link_resolve.py:58
    p.write_text(
        textwrap.dedent(
            """
        import pytest
        def test_foo():
            raise AssertionError()
        """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fe15670447d5f77 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:169
        os.environ[key] = "world"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e0a88b52e68e232 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:172
    del os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64fdd0b56670ee11 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:175
        assert os.environ[key] == "world"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #687780a1bb9dcc73 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:176
        del os.environ[key]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #702513ed0961c910 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:178
        assert key not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bba49d73fab26e27 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:205
    assert os.environ["XYZ123"] == "2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0b9999409980971 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:207
    assert "XYZ123" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #88afb5de3df46f0b Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:212
    assert name not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20befd99f7a0e1f6 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:218
    os.environ[name] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20ddb00aca617421 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:222
        assert name not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d6439a4cc74be2c6 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:224
        assert os.environ[name] == "3"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64ae851f880fb1a4 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:226
        assert os.environ[name] == "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f27e35e7784b417 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:228
        if name in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec66fe9a1a15c87e Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:229
            del os.environ[name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #01a9b7aff4618a1c Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:257
    assert os.environ["XYZ123"] == "3-2"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #005cc48931217cc9 Environment-variable access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:259
    assert "XYZ123" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d073755c208fe663 Filesystem access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:342
    p.joinpath("a.py").write_text(
        textwrap.dedent(
            """\
        import doesnotexist

        x = 1
    """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e2f6128dfd27892d Filesystem access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:352
    pytester.path.joinpath("test_importerror.py").write_text(
        textwrap.dedent(
            """\
        def test_importerror(monkeypatch):
            monkeypatch.setattr('package.a.x', 2)
    """
        ),
        encoding="utf-8",
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41b4f9be60ac303c Filesystem access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:466
        ns.joinpath("__init__.py").write_text(
            "__import__('pkg_resources').declare_namespace(__name__)", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c81e9ac838525bca Filesystem access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:471
        lib.joinpath("__init__.py").write_text(
            f"def check(): return {dirname!r}", encoding="utf-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b18355e13fc54de Filesystem access.
pkgs/python/[email protected]/testing/test_monkeypatch.py:500
    modules_tmpdir.joinpath("main_app.py").write_text("app = True", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1e200e9a88fe6430 Filesystem access.
pkgs/python/[email protected]/testing/test_parseopt.py:143
        args_file.write_text("\n".join(tests), encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71d2ebe867319ad0 Filesystem access.
pkgs/python/[email protected]/testing/test_parseopt.py:311
    with open(str(script), "w", encoding="utf-8") as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f14e53d3ada0c0f Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:147
        samplefile.write_text("samplefile\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #245b3f9481c81952 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:150
        execfile.write_text("x=42", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7d198ff7ddc61606 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:153
        execfilepy.write_text("x=42", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c566193f294ecbe3 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:167
        module_a.write_text("from .b import stuff as result\n", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f1b906613bf91fe2 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:169
        module_b.write_text('stuff="got it"\n', encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c0f9b683338af062 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:171
        module_c.write_text(
            dedent(
                """
            import pluggy;
            import otherdir.a
            value = otherdir.a.result
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00de2151b8650d70 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:182
        module_d.write_text(
            dedent(
                """
            import pluggy;
            from otherdir import a
            value2 = a.result
        """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #afd1576f01334534 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:355
        fn.write_text("def foo(x): return 40 + x", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48b1b7d076baf918 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:559
    module_path.write_text("def foo(): return 42", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3c30f952a77728d6 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:603
        fn.write_text(
            dedent(
                """
                from dataclasses import dataclass

                @dataclass
                class Data:
                    value: str
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #756a49b699f4d017 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:636
        fn.write_text(
            dedent(
                """
                import pickle

                def _action():
                    return 42

                def round_trip():
                    s = pickle.dumps(_action)
                    return pickle.loads(s)
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #562f834aeffcc35b Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:674
        fn1.write_text(
            dedent(
                """
                import dataclasses
                import pickle

                @dataclasses.dataclass
                class Data:
                    x: int = 42
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #702946fce882d8e1 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:690
        fn2.write_text(
            dedent(
                """
                import dataclasses
                import pickle

                @dataclasses.dataclass
                class Data:
                    x: str = ""
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fcbfd513bad9303e Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:821
        file_path.write_text("my_name='demo'", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8d77fbb46199be78 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:824
            (tmp_path / "a/b/__init__.py").write_text(
                "my_name='b.__init__'", encoding="utf-8"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5d5ddaa6f36f1479 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:890
        init.write_text(
            dedent(
                """
                from .singleton import Singleton

                instance = Singleton()
                """
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #81b9ccb72bef63c0 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:901
        singleton.write_text(
            dedent(
                """
                class Singleton:
                    INSTANCES = []

                    def __init__(self) -> None:
                        self.INSTANCES.append(self)
                        if len(self.INSTANCES) > 1:
                            raise RuntimeError("Already initialized")
                """
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c8f2fff9c82c737c Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:955
        file_path.write_text(
            dedent(
                """
            def test_demo():
                pass
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fc22411e3fe0570 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:992
        core_py.write_text(
            dedent(
                """
                def foo():
                    '''
                    >>> 1 + 1
                    2
                    '''
                """
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6bad02574ce26fb4 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1019
        conftest_path1.write_text(
            dedent(
                """
                import pytest
                @pytest.fixture
                def a_fix(): return "a"
                """
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4f27a5026fb9dfe2 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1030
        test_path1.write_text(
            dedent(
                """
                import app.core
                def test(a_fix):
                    assert a_fix == "a"
                """,
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6760aba44e84e085 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1043
        conftest_path2.write_text(
            dedent(
                """
                import pytest
                @pytest.fixture
                def b_fix(): return "b"
                """
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e5af7aed24cab0a Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1055
        test_path2.write_text(
            dedent(
                """
                import app.core
                def test(b_fix):
                    assert b_fix == "b"
                """,
            ),
            encoding="ascii",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #696362f62c88aa74 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1175
        x_at_root.write_text("raise AssertionError('x at root')", encoding="ascii")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f4f52414351b2cae Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1181
        x_in_sub_dir.write_text("X = 'a/b/x'", encoding="ascii")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c4cb25cd95b6afb Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1400
        (tmp_path / "src/dist1/com/company/app/__init__.py").write_text(
            code, encoding="UTF-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da3da5918ec48e2e Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1403
        (tmp_path / "src/dist1/com/company/app/core/__init__.py").write_text(
            code, encoding="UTF-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aecba5d48ab385d8 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1410
        (tmp_path / "src/dist2/com/company/calc/__init__.py").write_text(
            code, encoding="UTF-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b3f10e7feb91cc81 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1413
        (tmp_path / "src/dist2/com/company/calc/algo/__init__.py").write_text(
            code, encoding="UTF-8"
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b9a2e2807e3385ed Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1417
        algorithms_py.write_text(code, encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2dd1ec8315ee5d24 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1503
        test_py.write_text(code, encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #109dc6c4d0d0b848 Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1532
        file.write_text("data=123", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cae82fbc7c435bac Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1537
        tests.write_text(
            dedent(
                """
            from cow.moo.moo import data

            def test_moo():
                print(data)
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #07c2935f409564da Filesystem access.
pkgs/python/[email protected]/testing/test_pathlib.py:1693
    test_y.write_text("def test(): pass", encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c70e7fa4fd0f5039 Environment-variable access.
pkgs/python/[email protected]/testing/test_pluginmanager.py:351
        monkeypatch.setitem(os.environ, "PYTEST_PLUGINS", "xy123")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #20327e349caae1a6 Filesystem access.
pkgs/python/[email protected]/testing/test_pluginmanager.py:409
        pytester.mkpydir("pkg").joinpath("plug.py").write_text("x=3", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3b37870535cef3a3 Filesystem access.
pkgs/python/[email protected]/testing/test_pytester.py:218
    assert "mixed_encoding = 'São Paulo'".encode() in p.read_bytes()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4a5963c4274c74a0 Filesystem access.
pkgs/python/[email protected]/testing/test_pytester.py:227
        test_mod.write_text("def test_foo(): assert False", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9d3c851c142914b5 Environment-variable access.
pkgs/python/[email protected]/testing/test_pytester.py:613
    assert "PYTEST_ADDOPTS" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eef591c870514d16 Environment-variable access.
pkgs/python/[email protected]/testing/test_pytester.py:705
    assert os.environ.get("HOME") == tmphome

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97fcb683b93de158 Filesystem access.
pkgs/python/[email protected]/testing/test_python_path.py:38
    foo_py.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #31a73e0a110bf8ca Filesystem access.
pkgs/python/[email protected]/testing/test_python_path.py:47
    bar_py.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #926a32d02d386de0 Filesystem access.
pkgs/python/[email protected]/testing/test_python_path.py:76
    localplugin_py.write_text(content, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8ec7edc8c606ceb0 Filesystem access.
pkgs/python/[email protected]/testing/test_reports.py:411
        sub_dir.joinpath("conftest.py").write_text("import unknown", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #024421fe4934317f Environment-variable access.
pkgs/python/[email protected]/testing/test_runner.py:1086
    assert "PYTEST_CURRENT_TEST" not in os.environ

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bb3f402b24649a9c Environment-variable access.
pkgs/python/[email protected]/testing/test_runner.py:1225
    assert os.environ["PYTEST_VERSION"] == "old version"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c4d7da601ae6cf99 Filesystem access.
pkgs/python/[email protected]/testing/test_session.py:273
    hellodir.joinpath("test_hello.py").write_text("x y syntaxerror", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d211c714607ad2f3 Filesystem access.
pkgs/python/[email protected]/testing/test_session.py:275
    hello2dir.joinpath("test_hello2.py").write_text("x y syntaxerror", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #49d2e4084dc56494 Filesystem access.
pkgs/python/[email protected]/testing/test_session.py:284
    hellodir.joinpath("test_hello.py").write_text("x y syntaxerror", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6007a65aed8a9b63 Filesystem access.
pkgs/python/[email protected]/testing/test_session.py:286
    hello2dir.joinpath("test_hello2.py").write_text("x y syntaxerror", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #35b056f3264003cf Filesystem access.
pkgs/python/[email protected]/testing/test_session.py:288
    hello3dir.joinpath("test_hello3.py").write_text("x y syntaxerror", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #64b3d3e97a689acd Filesystem access.
pkgs/python/[email protected]/testing/test_session.py:290
    subdir.joinpath("test_hello4.py").write_text("x y syntaxerror", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33e8d526d247081a Filesystem access.
pkgs/python/[email protected]/testing/test_skipping.py:191
        root.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
            import pytest

            def pytest_markeval_namespace():
                return {"arg": "root"}
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f50c0fec7f2471ec Filesystem access.
pkgs/python/[email protected]/testing/test_skipping.py:202
        root.joinpath("test_root.py").write_text(
            textwrap.dedent(
                """\
            import pytest

            @pytest.mark.skipif("arg == 'root'")
            def test_root():
                assert False
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d0250df51bb548bb Filesystem access.
pkgs/python/[email protected]/testing/test_skipping.py:217
        foo.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
            import pytest

            def pytest_markeval_namespace():
                return {"arg": "foo"}
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cdaef2a23e3a9a6 Filesystem access.
pkgs/python/[email protected]/testing/test_skipping.py:228
        foo.joinpath("test_foo.py").write_text(
            textwrap.dedent(
                """\
            import pytest

            @pytest.mark.skipif("arg == 'foo'")
            def test_foo():
                assert False
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c76b4aef4d2228ad Filesystem access.
pkgs/python/[email protected]/testing/test_skipping.py:243
        bar.joinpath("conftest.py").write_text(
            textwrap.dedent(
                """\
            import pytest

            def pytest_markeval_namespace():
                return {"arg": "bar"}
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #dab69e30ace97711 Filesystem access.
pkgs/python/[email protected]/testing/test_skipping.py:254
        bar.joinpath("test_bar.py").write_text(
            textwrap.dedent(
                """\
            import pytest

            @pytest.mark.skipif("arg == 'bar'")
            def test_bar():
                assert False
            """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0aa1c14f3f065b71 Filesystem access.
pkgs/python/[email protected]/testing/test_stepwise.py:534
    cache_file.write_text(json.dumps({"invalid": True}), encoding="UTF-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #db602e7e577cc16e Filesystem access.
pkgs/python/[email protected]/testing/test_terminal.py:271
        a.joinpath("test_hello123.py").write_text(
            textwrap.dedent(
                """\
                class TestClass(object):
                    def test_method(self):
                        pass
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5b92cdb41bf0acf5 Filesystem access.
pkgs/python/[email protected]/testing/test_terminal.py:1645
        pytester.mkdir("a").joinpath("conftest.py").write_text(
            """
def pytest_report_header(config, start_path):
    return ["line1", str(start_path)]
""",
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3cbb6163f82caa8b Filesystem access.
pkgs/python/[email protected]/testing/test_terminal.py:3386
        test_path.write_text(
            textwrap.dedent(
                """
                import pytest

                @pytest.mark.parametrize("a", ["x/y", "C:/path", "\\\\", "C:\\\\path", "a::b/"])
                def test_x(a):
                    assert False
                """
            ),
            encoding="utf-8",
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pytest-docker

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #931717bba62caa89 Environment-variable access.
pkgs/python/[email protected]/src/pytest_docker/plugin.py:46
    docker_host = os.environ.get("DOCKER_HOST", "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

python-mimeparse

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #de30c3cea87ce7e6 Filesystem access.
pkgs/python/[email protected]/mimeparse_test.py:24
        with open("testdata.json") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

python-multipart

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #a7509929f0876ec2 Filesystem access.
pkgs/python/[email protected]/python_multipart/multipart.py:487
                tmp_file = open(path, "w+b")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

python-pptx

python dependency
expand_more 13 low-confidence finding(s)
low env_fs dependency Excluded from app score #b181b1eb29d06760 Filesystem access.
pkgs/python/[email protected]/features/steps/picture.py:43
    with open(test_image(filename), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #934ab671e8104d9e Filesystem access.
pkgs/python/[email protected]/features/steps/placeholder.py:141
    with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #04080aa960409058 Filesystem access.
pkgs/python/[email protected]/features/steps/presentation.py:88
    with open(test_pptx("test"), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3ab893848f33b785 Filesystem access.
pkgs/python/[email protected]/features/steps/presentation.py:107
    with open(saved_pptx_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8198062bc5b496ec Filesystem access.
pkgs/python/[email protected]/features/steps/shape.py:461
    with open(test_file("just-two-mice.png"), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #337f24ce09e9eda6 Filesystem access.
pkgs/python/[email protected]/features/steps/shapes.py:65
    with open(test_file(filename), "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fb2d2c16162a3385 Filesystem access.
pkgs/python/[email protected]/src/pptx/media.py:37
            with open(movie_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ab033c501c5d9e26 Filesystem access.
pkgs/python/[email protected]/src/pptx/opc/package.py:367
            with open(file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #69f7c98ee612e0ec Filesystem access.
pkgs/python/[email protected]/src/pptx/opc/serialized.py:166
            with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a0b005f5828a84e4 Filesystem access.
pkgs/python/[email protected]/src/pptx/oxml/__init__.py:29
    with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d2376a3f1ad0ab62 Filesystem access.
pkgs/python/[email protected]/src/pptx/parts/image.py:163
            with open(image_file, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf3fc6467726e858 Environment-variable access.
pkgs/python/[email protected]/src/pptx/text/fonts.py:80
        home = os.environ.get("HOME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0c24714930b3d70f Filesystem access.
pkgs/python/[email protected]/src/pptx/text/fonts.py:200
        return cls(open(path, "rb"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pytube

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #49542af9aa39018f Filesystem access.
pkgs/python/[email protected]/pytube/captions.py:154
        with open(file_path, "w", encoding="utf-8") as file_handle:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef8767d8de3fb7e3 Filesystem access.
pkgs/python/[email protected]/pytube/innertube.py:249
                with open(_token_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00908baead704228 Filesystem access.
pkgs/python/[email protected]/pytube/innertube.py:268
        with open(_token_file, 'w') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c51d760579e24769 Filesystem access.
pkgs/python/[email protected]/pytube/streams.py:312
        with open(file_path, "wb") as fh:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #42399fdda5a833c9 Filesystem access.
pkgs/python/[email protected]/setup.py:13
with open(os.path.join(here, "pytube", "version.py")) as fp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pytz

python dependency
expand_more 6 low-confidence finding(s)
low env_fs dependency Excluded from app score #2a1a76c398ccd558 Environment-variable access.
pkgs/python/[email protected]/pytz/__init__.py:91
    zoneinfo_dir = os.environ.get('PYTZ_TZDATADIR', None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #262f845389192641 Filesystem access.
pkgs/python/[email protected]/pytz/__init__.py:118
    return open(filename, 'rb')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1caf59ae8023db33 Environment-variable access.
pkgs/python/[email protected]/pytz/__init__.py:124
        if os.environ.get('PYTZ_SKIPEXISTSCHECK', ''):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d71aae765c856f6b Filesystem access.
pkgs/python/[email protected]/pytz/tzfile.py:130
                      open(os.path.join(base, 'Australia', 'Melbourne'), 'rb'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #99804da54ac0485b Filesystem access.
pkgs/python/[email protected]/pytz/tzfile.py:132
                      open(os.path.join(base, 'US', 'Eastern'), 'rb'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #18f8281f2eedac90 Filesystem access.
pkgs/python/[email protected]/setup.py:31
    long_description=open('README.rst', 'r').read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

pyxlsb

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #1b9eb61d2a242f65 Filesystem access.
pkgs/python/[email protected]/setup.py:8
with open(os.path.join(project_dir, 'README.rst')) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

rank-bm25

python dependency
expand_more 1 low-confidence finding(s)
low env_fs dependency Excluded from app score #0bc68ee9135c0753 Filesystem access.
pkgs/python/[email protected]/setup.py:12
    with io.open(os.path.join(here, 'README.md'), encoding='utf-8') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

requests

python dependency
expand_more 8 low-confidence finding(s)
low env_fs dependency Excluded from app score #0b612f7e338c124d Environment-variable access.
pkgs/python/[email protected]/src/requests/sessions.py:857
                    os.environ.get("REQUESTS_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4c4475265473e6fc Environment-variable access.
pkgs/python/[email protected]/src/requests/sessions.py:858
                    or os.environ.get("CURL_CA_BUNDLE")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3fd6a53e73e98d0e Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:239
    netrc_file = os.environ.get("NETRC")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #82faf83990b11390 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:798
        old_value = os.environ.get(env_name)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f7bb46d2f18f302a Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:799
        os.environ[env_name] = value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4455a379293ead6d Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:805
                del os.environ[env_name]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72d23d3ea16416ca Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:807
                os.environ[env_name] = old_value

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1b7ed755c7a14545 Environment-variable access.
pkgs/python/[email protected]/src/requests/utils.py:820
        return os.environ.get(key) or os.environ.get(key.upper())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sentence-transformers

python dependency
expand_more 58 low-confidence finding(s)
low env_fs dependency Excluded from app score #a645f83e4ab72726 Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/__init__.py:45
if importlib.util.find_spec("codecarbon") and "CODECARBON_LOG_LEVEL" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8937e69c6b61baa4 Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/__init__.py:46
    os.environ["CODECARBON_LOG_LEVEL"] = "error"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40c9aec79c29a4b4 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/backend/load.py:155
            with open(ov_config, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #153f88593d9e8b9b Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:178
            cache_folder = os.getenv("SENTENCE_TRANSFORMERS_HOME")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #54f41f2ccbdec719 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:625
        with open(os.path.join(path, "config_sentence_transformers.json"), "w", encoding="utf8") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8dc2e2070875f4fc Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:670
        with open(os.path.join(path, "modules.json"), "w", encoding="utf8") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #414516f3af8f945f Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:762
        with open(os.path.join(path, "README.md"), "w", encoding="utf8") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #68fa7f602e538a38 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:1067
            with open(config_sentence_transformers_json_path, encoding="utf8") as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1755bed7c305db41 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:1101
                with open(model_card_path, encoding="utf8") as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1babb933df42247b Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:1115
        with open(modules_json_path, encoding="utf8") as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c1369c4f2e38bb9f Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/model.py:1309
        with open(config_sentence_transformers_json_path, encoding="utf8") as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b670bb20da296bc2 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/modules/module.py:211
        with open(config_path, encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #edb256bcc768705d Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/modules/module.py:406
        with open(config_output_path, "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b8f74fc531fddbf2 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/modules/router.py:567
        with open(os.path.join(output_path, self.config_file_name), "w", encoding="utf8") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bdcb5bdbfb137516 Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/base/trainer.py:295
            os.environ.setdefault("WANDB_PROJECT", "sentence-transformers")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3d6c315a67b9cbf3 Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/base/trainer.py:299
            os.environ.setdefault("TRACKIO_PROJECT", "sentence-transformers")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6766383797f3f6c4 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/base/trainer.py:1037
                with open(index_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7f222fcb92c1d214 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/cross_encoder/evaluation/classification.py:180
            with open(csv_path, mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #883391f60c07272f Filesystem access.
pkgs/python/[email protected]/sentence_transformers/cross_encoder/evaluation/correlation.py:129
            with open(csv_path, mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #260f15adeecffdfd Filesystem access.
pkgs/python/[email protected]/sentence_transformers/cross_encoder/evaluation/nano_beir.py:283
                fOut = open(csv_path, mode="w", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #af1e258e834735e6 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/cross_encoder/evaluation/nano_beir.py:288
                fOut = open(csv_path, mode="a", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3a98019c31680901 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/cross_encoder/evaluation/reranking.py:301
            with open(csv_path, mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1cf1a11fb412825b Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/datasets/parallel_sentences.py:96
            else open(filepath, encoding="utf8") as fIn

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f11c3a45c41e1f64 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/binary_classification.py:195
                with open(csv_path, newline="", mode="w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #27775e4fc840808b Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/binary_classification.py:200
                with open(csv_path, newline="", mode="a", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7eb0a9cd6ccb37bb Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/embedding_similarity.py:207
            with open(csv_path, newline="", mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b041969275371cd8 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/information_retrieval.py:250
                fOut = open(csv_path, mode="w", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #da81ed39fabf7d8d Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/information_retrieval.py:255
                fOut = open(csv_path, mode="a", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea7a85aa8f84c2f6 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/information_retrieval.py:388
                with open(json_path, mode=mode, encoding="utf-8") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc3a7d18111a7208 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/label_accuracy.py:84
                with open(csv_path, newline="", mode="w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #55a3ca07c96d4125 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/label_accuracy.py:89
                with open(csv_path, newline="", mode="a", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4610ecf10ba46c62 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/mse.py:122
            with open(csv_path, newline="", mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cd2fb7be1a6f2678 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/mse_from_dataframe.py:110
            with open(csv_path, newline="", mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b5b35dd42f41ac65 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/nano_beir.py:353
                fOut = open(csv_path, mode="w", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0b04376f4baefa68 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/nano_beir.py:358
                fOut = open(csv_path, mode="a", encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8926350693700469 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/paraphrase_mining.py:224
                with open(csv_path, newline="", mode="w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #13b3cee83056cfc8 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/paraphrase_mining.py:229
                with open(csv_path, newline="", mode="a", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c37d7a3e0573889 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/reranking.py:186
            with open(csv_path, newline="", mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5152f5a74e56d204 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/translation.py:157
            with open(csv_path, newline="", mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1455616edf57761d Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/triplet.py:220
                with open(csv_path, newline="", mode="w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9fa612d2279d96bc Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/evaluation/triplet.py:226
                with open(csv_path, newline="", mode="a", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7eb55126e8184256 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/modules/tokenizer/phrase.py:105
        with open(os.path.join(output_path, "phrasetokenizer_config.json"), "w") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5cf6909b921b1228 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/modules/tokenizer/phrase.py:119
        with open(os.path.join(input_path, "phrasetokenizer_config.json")) as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #097a31d5ee1f2233 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/modules/tokenizer/whitespace.py:63
        with open(os.path.join(output_path, "whitespacetokenizer_config.json"), "w") as fOut:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #be5b9b79f4c7be80 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/modules/tokenizer/whitespace.py:75
        with open(os.path.join(input_path, "whitespacetokenizer_config.json")) as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #67e09cce7be8b47c Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/modules/word_embeddings.py:162
            else open(embeddings_file_path, encoding="utf8") as fIn

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #26e5b56ac644531e Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/readers/label_sentence.py:35
        for line in open(os.path.join(self.folder, filename), encoding="utf-8"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #203eba9a695a64fa Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/readers/paired_files.py:30
                else open(filepath, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8540b4680eaa0e9 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/readers/sts_data.py:54
            else open(filepath, encoding="utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6682e96fbf279be7 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sentence_transformer/readers/triplet.py:44
            open(os.path.join(self.dataset_folder, filename), encoding="utf-8"),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #83c271b3034f2181 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sparse_encoder/evaluation/reciprocal_rank_fusion.py:287
                with open(csv_path, mode="a" if output_file_exists else "w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a4f7b736741843b2 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sparse_encoder/evaluation/reciprocal_rank_fusion.py:311
                with open(json_path, mode="w", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e21c4294ca7ceeb6 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/sparse_encoder/modules/sparse_static_embedding.py:143
        with open(json_path) as fIn:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #bbe07614996f360d Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/util/environment.py:51
        if "LOCAL_RANK" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #22e451d6c1cc9fb7 Environment-variable access.
pkgs/python/[email protected]/sentence_transformers/util/environment.py:52
            local_rank = int(os.environ["LOCAL_RANK"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a011c0f9043a877e Filesystem access.
pkgs/python/[email protected]/sentence_transformers/util/file_io.py:243
            with open(download_filepath, "wb") as file_binary:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d8729dd1d3ab1ae0 Filesystem access.
pkgs/python/[email protected]/sentence_transformers/util/misc.py:182
    with open(csv_path, newline="", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f34462cf08e7d74c Filesystem access.
pkgs/python/[email protected]/sentence_transformers/util/misc.py:191
        with open(csv_path, "w", newline="", encoding="utf-8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sentencepiece

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #3e680074adc89a65 Filesystem access.
pkgs/python/[email protected]/setup.py:37
with open('src/sentencepiece/_version.py') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25f73bac08976d7f Environment-variable access.
pkgs/python/[email protected]/setup.py:158
  if os.getenv('PYTHON_ARCH', '') == 'ARM64':

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

soundfile

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #16b387b1dd425e33 Environment-variable access.
pkgs/python/[email protected]/setup.py:8
platform = os.environ.get('PYSOUNDFILE_PLATFORM', sys.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a6cabb4fef06b21e Environment-variable access.
pkgs/python/[email protected]/setup.py:9
architecture0 = os.environ.get('PYSOUNDFILE_ARCHITECTURE')

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #027d93a007f9544a Filesystem access.
pkgs/python/[email protected]/setup.py:76
with open('soundfile.py') as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4e5e7124b34c8d1a Filesystem access.
pkgs/python/[email protected]/setup.py:117
    long_description=open('README.rst').read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7ba194ac569fbb11 Environment-variable access.
pkgs/python/[email protected]/soundfile_build.py:138
platform = os.environ.get('PYSOUNDFILE_PLATFORM', sys.platform)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

sqlalchemy

python dependency
expand_more 28 low-confidence finding(s)
low env_fs dependency Excluded from app score #9926170ed3f02753 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:42
            with open(
                Path(cachedir) / "sqla_mypy_config.cfg", "w"
            ) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #013ab9e1752c47a5 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:56
            with open(
                Path(cachedir) / "plain_mypy_config.cfg", "w"
            ) as config_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fe246b40bae42432 Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:106
            os.environ.pop("MYPY_FORCE_COLOR", None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9990ca4e2d91186d Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/fixtures/mypy.py:146
        with open(path) as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #40200a2380770b3f Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/plugin_base.py:398
    if os.environ.get("REQUIRE_SQLALCHEMY_CEXT", "0") == "1":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #567d0cc160c9490c Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/plugin_base.py:455
            with open(options.write_idents, "a") as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f00c75dfaace8a8f Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/plugin/pytestplugin.py:880
        return os.environ.get("PYTEST_CURRENT_TEST")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #055fb84fb970a4d0 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/profiling.py:200
            profile_f = open(self.fname)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e8576fa326687ea8 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/profiling.py:219
        profile_f = open(self.fname, "w")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4223d0afb6a0454b Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/testing/provision.py:453
    with open(idents_file) as file_:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5899536f2f98448b Environment-variable access.
pkgs/python/[email protected]/lib/sqlalchemy/util/_has_cy.py:27
    if os.environ.get("DISABLE_SQLALCHEMY_CEXT_RUNTIME"):

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ec2d1074866fa7a1 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:134
            Path(destination_path).write_text(
                text, encoding="utf-8", newline="\n"
            )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #090e73b253bb0734 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:146
            with open(tempfile) as tf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #03d9020a1753c4f6 Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:162
            with open(source_file, encoding="utf-8") as tf:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cc5c8b92fb49d39f Filesystem access.
pkgs/python/[email protected]/lib/sqlalchemy/util/tool_support.py:169
        with open(destination_path, encoding="utf-8") as dp:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1941359242792c3f Environment-variable access.
pkgs/python/[email protected]/noxfile.py:95
    cmd.extend(os.environ.get(dburl_env, default_dburl).split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #00e97cf1d4e0cf4f Environment-variable access.
pkgs/python/[email protected]/noxfile.py:106
    env_dbdrivers = os.environ.get(extra_driver_env, None)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #716cf0037ab92d65 Environment-variable access.
pkgs/python/[email protected]/noxfile.py:269
    cmd.extend(os.environ.get("TOX_WORKERS", "-n4").split())

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2cbe504c5eeb06ad Environment-variable access.
pkgs/python/[email protected]/setup.py:23
DISABLE_EXTENSION = bool(os.environ.get("DISABLE_SQLALCHEMY_CEXT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1059d94e8320b4f Environment-variable access.
pkgs/python/[email protected]/setup.py:24
REQUIRE_EXTENSION = bool(os.environ.get("REQUIRE_SQLALCHEMY_CEXT"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #a69e0939594e9e31 Filesystem access.
pkgs/python/[email protected]/tools/format_docs_code.py:155
    original = file.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #c9af813e053f975b Filesystem access.
pkgs/python/[email protected]/tools/format_docs_code.py:313
                file.write_text(updated, "utf-8", newline="\n")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #1a99d2e4335276f6 Filesystem access.
pkgs/python/[email protected]/tools/generate_proxy_methods.py:145
    with open(fn.__code__.co_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #b6818e7d4b15683f Filesystem access.
pkgs/python/[email protected]/tools/generate_proxy_methods.py:373
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #54f31a8ef1df11a2 Filesystem access.
pkgs/python/[email protected]/tools/generate_sql_functions.py:38
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #18bc4dfd7c4afade Filesystem access.
pkgs/python/[email protected]/tools/generate_tuple_map_overloads.py:53
        open(filename) as orig_py,

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #67f521562793a944 Filesystem access.
pkgs/python/[email protected]/tools/normalize_file_headers.py:27
    content = file.read_text("utf-8")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #3a52146318d23a70 Filesystem access.
pkgs/python/[email protected]/tools/sync_test_files.py:35
    source_data = Path(source).read_text().replace(remove_str, "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

tiktoken

python dependency
expand_more 13 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #7ddc5764d4b63e08 Environment-variable access.
pkgs/python/[email protected]/scripts/benchmark.py:16
    num_threads = int(os.environ["RAYON_NUM_THREADS"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #dd314d32c8c85c23 Filesystem access.
pkgs/python/[email protected]/scripts/redact.py:11
    text = path.read_text()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #75634821e72e02ae Filesystem access.
pkgs/python/[email protected]/scripts/redact.py:35
            path.write_text(redacted_text)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs tooling Excluded from app score unreachable #d3bcbfb4a603fc6a Filesystem access.
pkgs/python/[email protected]/scripts/wheel_download.py:35
        with open(temp_zip, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #33d1dac01ebe91df Filesystem access.
pkgs/python/[email protected]/tiktoken/_educational.py:212
    with open(__file__) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8aa07bf025ff5cca Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:10
        with open(blobpath, "rb", buffering=0) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7130ed5c75579b4 Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:27
    return blobfile.read_bytes(blobpath)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8e144f38c5eb4da0 Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:37
    if "TIKTOKEN_CACHE_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #fdecbb84c3ef8304 Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:38
        cache_dir = os.environ["TIKTOKEN_CACHE_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #883967d26bdbb1dd Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:39
    elif "DATA_GYM_CACHE_DIR" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea8e0aee96ec2e08 Environment-variable access.
pkgs/python/[email protected]/tiktoken/load.py:40
        cache_dir = os.environ["DATA_GYM_CACHE_DIR"]

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #91d0e2c6e078ffda Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:55
        with open(cache_path, "rb", buffering=0) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #08ef72f1967e9a73 Filesystem access.
pkgs/python/[email protected]/tiktoken/load.py:78
        with open(tmp_filename, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

unstructured

python dependency
expand_more 78 low-confidence finding(s)
low env_fs dependency Excluded from app score #59e853a1018b9056 Environment-variable access.
pkgs/python/[email protected]/unstructured/embed/mixedbreadai.py:35
        default_factory=lambda: SecretStr(os.environ.get("MXBAI_API_KEY")),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8cc43d47940b9a4f Environment-variable access.
pkgs/python/[email protected]/unstructured/embed/vertexai.py:28
        os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = application_credentials_path

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8383d7fe056fdd69 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/encoding.py:67
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #71112346d4952922 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/encoding.py:83
                    with open(filename, encoding=enc) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c198b876ba322222 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/encoding.py:127
            with open(filename, encoding=formatted_encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #905ab78299289b4a Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/file_conversion.py:72
            with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #30f26ea9bc8842a5 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:528
            with open(self.file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0d69104d520e9dec Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:592
            with open(file_path, encoding=self.encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6a1c67f4afc59ce8 Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:596
            with open(file_path, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e7c66185cb5118ac Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:615
            with open(file_path, encoding=self.encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3532ef67ca9d044d Filesystem access.
pkgs/python/[email protected]/unstructured/file_utils/filetype.py:621
            with open(file_path, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d149ac953347caf4 Environment-variable access.
pkgs/python/[email protected]/unstructured/metrics/evaluate.py:163
        max_processors = int(os.environ.get("MAX_PROCESSES", os.cpu_count()))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3806c46de9b8db22 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/evaluate.py:847
            with open(gt_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9227947762004845 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/object_detection.py:101
        with open(prediction_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #17ba52f24aa1c6d8 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/object_detection.py:103
        with open(ground_truth_file_path) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #1a29f53a1b404dbb Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/table/table_eval.py:216
        with open(prediction_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c2fe17272173c393 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/table/table_eval.py:218
        with open(ground_truth_file) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #97e24d5853a2df84 Filesystem access.
pkgs/python/[email protected]/unstructured/metrics/utils.py:243
        with open(path, errors="ignore") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #eeceef1cc0007447 Filesystem access.
pkgs/python/[email protected]/unstructured/nlp/english_words.py:12
with open(ENGLISH_WORDS_FILE) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #95ca82390342f122 Filesystem access.
pkgs/python/[email protected]/unstructured/nlp/tokenize.py:43
            with open(dest, "wb") as out:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6352d8d7b590e10f Filesystem access.
pkgs/python/[email protected]/unstructured/nlp/tokenize.py:64
        with open(whl_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9a966d3e016d44bc Filesystem access.
pkgs/python/[email protected]/unstructured/partition/api.py:100
        with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #38c02c0120b08211 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/api.py:290
            files = [stack.enter_context(open(f, "rb")) for f in filenames]  # type: ignore

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b145d9b4010eae92 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/common/common.py:389
        with open(file.name, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #aee09faef5878320 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/csv.py:173
            with open(self._file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a80a455aff8370ec Filesystem access.
pkgs/python/[email protected]/unstructured/partition/doc.py:69
            with open(source_file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7b5416a9297727d9 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/email.py:228
            with open(self._file_path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0057096299855405 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/json.py:58
        with open(filename, encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #b75561a350dc2077 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/model_init.py:11
    supported_model = os.environ.get("UNSTRUCTURED_HI_RES_SUPPORTED_MODEL", "")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #21185015dd95882f Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/model_init.py:16
    get_model(os.environ.get("UNSTRUCTURED_HI_RES_MODEL_NAME"))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #6db751780ab42bd0 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/msg.py:260
            with open(detached_file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a40ddb62ee3c8e74 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/ndjson.py:59
        with open(filename, encoding="utf8") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4bcf18c75112dcf1 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/odt.py:95
        with open(source_file_path, "wb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f31ed8008d0d1daa Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/odt.py:117
        allow_no_sandbox = os.environ.get("ALLOW_PANDOC_NO_SANDBOX", "").lower() == "true"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5894fc8e47afd51c Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/pdf.py:121
    return os.environ.get("UNSTRUCTURED_HI_RES_MODEL_NAME", DEFAULT_MODEL)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d1b9131bdeb48ee0 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/analysis/layout_dump.py:202
            with open(analysis_save_dir / f"{dumper.layout_source}.json", "w") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2c70728e5517ede0 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/analysis/tools.py:159
        with open(analysis_dump_filename) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2f03b2f55fcfc032 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/ocr.py:83
        with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ea1c0952c0338f4b Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdf_image_utils.py:160
                with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #2729fb4c68203594 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdfminer_processing.py:784
    memory_cap_in_gb = os.getenv("UNST_MATMUL_MEMORY_CAP_IN_GB", 1)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7e0941b1cd38d012 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdfminer_utils.py:522
                    page = next(PDFPage.get_pages(open(tmp_file_path, "rb")))  # noqa: SIM115

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e592bf4cc43b7f24 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/pdf_image/pdfminer_utils.py:532
            pages = PDFPage.get_pages(open(tmp_file_path, "rb"))  # noqa: SIM115

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #761b00305e318d56 Filesystem access.
pkgs/python/[email protected]/unstructured/partition/ppt.py:50
            with open(tmp_file_path, "wb") as tmp_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #522f010d7420f5a9 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:54
    _language_checks = os.environ.get("UNSTRUCTURED_LANGUAGE_CHECKS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #4d0ee17466b607fb Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:72
        os.environ.get("UNSTRUCTURED_NARRATIVE_TEXT_CAP_THRESHOLD", cap_threshold),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #d97da7010f28ae94 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:79
        os.environ.get("UNSTRUCTURED_NARRATIVE_TEXT_NON_ALPHA_THRESHOLD", non_alpha_threshold),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #48034230282da81f Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:117
    _language_checks = os.environ.get("UNSTRUCTURED_LANGUAGE_CHECKS")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e1bfb041417a179e Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:129
        os.environ.get("UNSTRUCTURED_TITLE_MAX_WORD_LENGTH", title_max_word_length),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0cc6c4755142b1dc Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/text_type.py:137
        os.environ.get("UNSTRUCTURED_TITLE_NON_ALPHA_THRESHOLD", non_alpha_threshold),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a5ce843bfc61440a Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/config.py:36
        return os.environ.get(var, default_value)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #8c7b34947a8159ee Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/config.py:157
        if "WHISPER_FP16" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a8d8731da2905bed Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/constants.py:37
OCR_AGENT_MODULES_WHITELIST = os.getenv(
    "OCR_AGENT_MODULES_WHITELIST",
    "unstructured.partition.utils.ocr_models.tesseract_ocr,"
    "unstructured.partition.utils.ocr_models.paddle_ocr,"
    "unstructured.partition.utils.ocr_models.google_vision_ocr",
).split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3eaedc446ad4ca05 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/constants.py:48
STT_AGENT_MODULES_WHITELIST = os.getenv(
    "STT_AGENT_MODULES_WHITELIST",
    "unstructured.partition.utils.speech_to_text.whisper_stt",
).split(",")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #301ef5d445acf089 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/constants.py:53
UNSTRUCTURED_INCLUDE_DEBUG_METADATA = os.getenv("UNSTRUCTURED_INCLUDE_DEBUG_METADATA", False)

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ac8eb37b018423f8 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/ocr_models/tesseract_ocr.py:32
if "OMP_THREAD_LIMIT" not in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #218ded0c1571b0cb Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/ocr_models/tesseract_ocr.py:33
    os.environ["OMP_THREAD_LIMIT"] = "1"

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7276856ea122ecf1 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:125
        os.environ.get("UNSTRUCTURED_XY_CUT_BBOX_SHRINK_FACTOR", shrink_factor),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #72d0f5683d3bcde3 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:128
    xy_cut_primary_direction = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5ed72ded7551c0a2 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:128
    xy_cut_primary_direction = os.environ.get(
        "UNSTRUCTURED_XY_CUT_PRIMARY_DIRECTION",
        xy_cut_primary_direction,
    )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c49dd662496c9fef Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:245
            os.environ.get("UNSTRUCTURED_XY_CUT_BBOX_SHRINK_FACTOR", shrink_factor),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f3bb14ada0865eb4 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:248
        xy_cut_primary_direction = os.environ.get(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #52cf4205c2bae9d4 Environment-variable access.
pkgs/python/[email protected]/unstructured/partition/utils/sorting.py:248
        xy_cut_primary_direction = os.environ.get(
            "UNSTRUCTURED_XY_CUT_PRIMARY_DIRECTION",
            xy_cut_primary_direction,
        )

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #74db8e384d65a18d Filesystem access.
pkgs/python/[email protected]/unstructured/partition/xlsx.py:210
            with open(self._file_path, "rb") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #851fcc6a7c86623f Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:230
        with open(filename, encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #7abee01b8ef7b9e4 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:347
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #25f0674bf80f972b Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:423
            with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #41db5bd4893a2654 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:452
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #9ca13cef05c93ec2 Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:475
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5bee37cf0f8b8dea Filesystem access.
pkgs/python/[email protected]/unstructured/staging/base.py:544
        with open(filename, "w", encoding=encoding) as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cf66f7a9420fbaef Filesystem access.
pkgs/python/[email protected]/unstructured/staging/label_box.py:85
        with open(output_filepath, "w+") as output_text_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #3295106b1cebaa59 Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:71
    with open(filename, "w+") as output_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #89dd3972676212ba Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:76
    with open(filename) as input_file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #0184f20c13fdd21e Environment-variable access.
pkgs/python/[email protected]/unstructured/utils.py:168
    return bool((os.getenv("DO_NOT_TRACK") or "").strip()) or bool(

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #a09116ed630f1b37 Environment-variable access.
pkgs/python/[email protected]/unstructured/utils.py:169
        (os.getenv("SCARF_NO_ANALYTICS") or "").strip()

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #c02154cb243ceddf Environment-variable access.
pkgs/python/[email protected]/unstructured/utils.py:175
    return (os.getenv("UNSTRUCTURED_TELEMETRY_ENABLED") or "").strip().lower() in (

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low egress dependency Excluded from app score #5653038178d1daed Hardcoded external endpoint. Review what data is sent to this destination.
pkgs/python/[email protected]/unstructured/utils.py:199
        requests.get(
            "https://packages.unstructured.io/python-telemetry",
            params={
                "version": __version__,
                "platform": platform.system(),
                "python": python_version,
                "arch": platform.machine(),
                "gpu": str(gpu_present),
                "dev": str("dev" in __version__).lower(),
            },
            timeout=10,
        )

Data is sent to a hardcoded external endpoint; review what leaves the process.

Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.

low env_fs dependency Excluded from app score #247ca379193bc9a0 Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:696
            with open(self.file_path) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #ef7eab3ae8a0b9c9 Filesystem access.
pkgs/python/[email protected]/unstructured/utils.py:702
            with open(self.file_path, "w") as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

uvicorn

python dependency
expand_more 5 low-confidence finding(s)
low env_fs dependency Excluded from app score #0f97b6c247bdf826 Environment-variable access.
pkgs/python/[email protected]/uvicorn/config.py:335
        if workers is None and "WEB_CONCURRENCY" in os.environ:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #374d21f2f2b1500e Environment-variable access.
pkgs/python/[email protected]/uvicorn/config.py:336
            self.workers = int(os.environ["WEB_CONCURRENCY"])

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #f351f98edc5aae13 Environment-variable access.
pkgs/python/[email protected]/uvicorn/config.py:340
            self.forwarded_allow_ips = os.environ.get("FORWARDED_ALLOW_IPS", "127.0.0.1")

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #debdd5de089b8ad7 Filesystem access.
pkgs/python/[email protected]/uvicorn/config.py:374
                with open(self.log_config) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e73d9528b498e380 Filesystem access.
pkgs/python/[email protected]/uvicorn/config.py:382
                with open(self.log_config) as file:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

validators

python dependency
expand_more 2 low-confidence finding(s)
low env_fs dependency Excluded from app score #f11b91cc55678c7d Environment-variable access.
pkgs/python/[email protected]/src/validators/domain.py:33
            if environ.get("PYVLD_CACHE_TLD") == "True":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #5e2d53346b5bd7c0 Environment-variable access.
pkgs/python/[email protected]/src/validators/utils.py:79
        if environ.get("RAISE_VALIDATION_ERROR", "False") == "True":

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

xlrd

python dependency
expand_more 4 low-confidence finding(s)
low env_fs tooling Excluded from app score unreachable #1aff50db9f94343f Filesystem access.
pkgs/python/[email protected]/scripts/runxlrd.py:299
            logfile = LogHandler(open(options.logfilename, 'w'))

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #cea6ca7c09adbfcd Filesystem access.
pkgs/python/[email protected]/setup.py:19
    long_description=open('README.rst').read(),

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #61c7964e09eb0969 Filesystem access.
pkgs/python/[email protected]/xlrd/__init__.py:60
        with open(path, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

low env_fs dependency Excluded from app score #e4925002b8f525ef Filesystem access.
pkgs/python/[email protected]/xlrd/book.py:616
            with open(filename, "rb") as f:

Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.

Fix: Usually benign; confirm any secret read here is not later sent externally.

Skipped dependencies

Production

  • @codemirror/lang-javascript prod — dist-only: no readable source
  • @codemirror/lang-python prod — dist-only: no readable source
  • @codemirror/language-data prod — dist-only: no readable source
  • @codemirror/theme-one-dark prod — dist-only: no readable source
  • @floating-ui/dom prod — dist-only: no readable source
  • @sveltejs/svelte-virtual-list prod — no javascript source
  • @xyflow/svelte prod — dist-only: no readable source
  • bits-ui prod — dist-only: no readable source
  • codemirror prod — dist-only: no readable source
  • codemirror-lang-elixir prod — dist-only: no readable source
  • codemirror-lang-hcl prod — dist-only: no readable source
  • fuse.js prod — dist-only: no readable source
  • heic2any prod — dist-only: no readable source
  • html2canvas-pro prod — dist-only: no readable source
  • kokoro-js prod — tarball exceeds byte cap
  • paneforge prod — dist-only: no readable source
  • mermaid prod — dist-only: no readable source
  • prosemirror-tables prod — dist-only: no readable source
  • shiki prod — dist-only: no readable source
  • svelte-sonner prod — dist-only: no readable source
  • vite-plugin-static-copy prod — dist-only: no readable source
  • langchain-community prod — sdist exceeds byte cap
  • pillow prod — sdist exceeds byte cap
  • opencv-python-headless prod — no sdist (wheels only)
  • rapidocr-onnxruntime prod — no sdist (wheels only)
  • onnxruntime prod — no sdist (wheels only)
  • faster-whisper prod — no sdist (wheels only)
  • playwright prod — no sdist (wheels only)
  • qdrant-client prod — scan budget exceeded
  • weaviate-client prod — scan budget exceeded
  • pymilvus prod — scan budget exceeded
  • pinecone prod — scan budget exceeded
  • oracledb prod — scan budget exceeded
  • colbert-ai prod — scan budget exceeded