Serialize Environment Warning

Code	Severity	i18n	Experimental
serialize-environment	`Warning`	`sast_warnings.serialize_environment`	❌

Introduction

This warning is triggered when the code attempts to serialize the entire Node.js process.env object, potentially indicating environment variable exfiltration. Environment variables often contain sensitive information such as API keys, database credentials, authentication tokens, and other secrets.

Detection Behavior

The probe has different detection modes depending on the sensitivity level:

Conservative Mode (default)

Detects only explicit serialization of process.env:

JSON.stringify(process.env) - Direct serialization
JSON.stringify(process["env"]) - Bracket notation variants

Aggressive Mode

In addition to serialization, also detects:

Any direct process.env access
Variable assignments like const env = process.env

Examples

// Detected in both modes: JSON.stringify
const envData = JSON.stringify(process.env);
const envData = JSON.stringify(process["env"]);
const envData = JSON.stringify(process['env']);
const envData = JSON.stringify(process[`env`]);

// Detected only in aggressive mode: direct access
const env = process.env;
console.log(process.env);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Serialize Environment Warning

Introduction

Detection Behavior

Conservative Mode (default)

Aggressive Mode

Examples

References

FilesExpand file tree

serialize-environment.md

Latest commit

History

serialize-environment.md

File metadata and controls

Serialize Environment Warning

Introduction

Detection Behavior

Conservative Mode (default)

Aggressive Mode

Examples

References