How to Hide API Keys in Python: Stop Leaking Secrets to GitHub

 

Whether you are building a data pipeline in Airflow or a simple AI bot, you should never hard-code your API keys directly in your Python script. If you push that code to a public repository, hackers will find it in seconds using automated scanners.

Here is the professional way to handle secrets using Environment Variables and .env files.

1. The Tool: python-dotenv

The industry standard for managing local secrets is a library called python-dotenv. It allows you to store your keys in a separate file that never gets uploaded to the internet.

Install it via terminal:

pip install python-dotenv

2. Create your .env File

In your project’s root folder, create a new file named exactly .env. Inside, add your secrets like this:

# .env file

DATABASE_URL=postgres://user:password@localhost:5432/mydb

OPENAI_API_KEY=sk-your-secret-key-here

AWS_SECRET_ACCESS_KEY=your-aws-key

3. Access Secrets in Python

Now, you can load these variables into your script without ever typing the actual key in your code.

import os

from dotenv import load_dotenv

# Load the variables from .env into the system environment

load_dotenv()

# Access them using os.getenv

api_key = os.getenv("OPENAI_API_KEY")

db_url = os.getenv("DATABASE_URL")

print(f"Successfully connected to the database!")

4. The Most Important Step: .gitignore

This is where the "Security" part happens. You must tell Git to ignore your .env file so it never leaves your computer.

Create a file named .gitignore and add this line:

.env

Why this is a "DevSecOps" Win:

• Security: Your keys stay on your machine.

• Flexibility: You can use different keys for "Development" and "Production" without changing a single line of code.

• Collaboration: Your teammates can create their own local .env files with their own credentials.

How to Fix: "SSL Certificate Problem: Self-Signed Certificate" in Git & Docker

This is one of the most common "Security vs. Productivity" errors. You’re trying to pull a private image or clone a repo, and your system blocks you because it doesn't trust the security certificate.

The Error: fatal: unable to access 'https://github.com/repo.git/': SSL certificate problem: self signed certificate in certificate chain




Why is this happening?

Your company or home network is likely using a "Self-Signed" SSL certificate for security monitoring. Git and Docker are designed to be secure by default, so they block these connections because they can't verify the "Chain of Trust."

❌ The "Bad" Way (Don't do this in Production!)

You will see people online telling you to just disable SSL verification:

git config --global http.sslVerify false

Why avoid this? This turns off security entirely, making you vulnerable to "Man-in-the-Middle" attacks. It's okay for a 2-minute test, but never leave it this way.

✅ The "Secure" Fix (The DevSecOps Way)

Instead of turning security off, tell your system to trust your specific certificate.

1. Download the Certificate

Export the .crt file from your browser (click the lock icon next to the URL) or get it from your IT department.

2. Update Git to use the Certificate

Point Git to your certificate file:

git config --global http.sslcainfo /path/to/your/certificate.crt

3. Update Docker (on Linux)

If Docker is failing, move the certificate to the trusted folder:

sudo mkdir -p /usr/local/share/ca-certificates/

sudo cp my-cert.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

Pro Tip: Use a Secret Scanner

While you're fixing security errors, make sure you aren't accidentally pushing passwords into your code! Tools like TruffleHog or git-secrets can scan your repo and stop you before you commit a major security leak.