Summary
WireTapper's tracked entrypoint configures third-party provider credentials as source-level constants instead of requiring runtime secret injection, encouraging secret-in-code deployments for WiGLE, OpenCellID, and Shodan access.
Evidence
Why this matters
Even when the checked-in values are placeholders, the design tells operators to put provider credentials into source code. That creates avoidable commit leakage, poor rotation discipline, and divergent runtime behavior between entrypoints.
Attack or failure scenario
An operator pastes live WiGLE or Shodan credentials into app.py to get the demo working quickly, then commits or copies the file into deployment artifacts. The credential is now embedded in source history and local backups.
Root cause
The repository mixes a demo-style hardcoded config path with an environment-based config path instead of enforcing a single runtime secret boundary.
Recommended fix
- Remove provider credential constants from tracked source entrypoints.
- Require environment-backed secret injection in every runnable entrypoint.
- Fail startup if required provider credentials are missing rather than inviting source edits.
- Add secret-scanning checks to prevent future commits of provider keys.
Acceptance criteria
- No tracked entrypoint contains provider credential fields as editable source constants.
- All provider auth flows read from environment or managed secrets only.
- Documentation reflects a single secret-handling model.
Suggested labels
- security
- technical-debt
- production-readiness
Priority
P2 (Medium)
Severity
Medium — the repository encourages secret-in-code operation and inconsistent credential custody.
Confidence
Confirmed — the tracked source constants and their provider usage are explicit.
Summary
WireTapper's tracked entrypoint configures third-party provider credentials as source-level constants instead of requiring runtime secret injection, encouraging secret-in-code deployments for WiGLE, OpenCellID, and Shodan access.
Evidence
WIGLE_API_TOKEN,OPENCELLID_API_KEY, andSHODAN_API_KEYas module constants in tracked source.app-env.py, uses environment variables, showing conflicting secret-handling models within the same repository.Why this matters
Even when the checked-in values are placeholders, the design tells operators to put provider credentials into source code. That creates avoidable commit leakage, poor rotation discipline, and divergent runtime behavior between entrypoints.
Attack or failure scenario
An operator pastes live WiGLE or Shodan credentials into
app.pyto get the demo working quickly, then commits or copies the file into deployment artifacts. The credential is now embedded in source history and local backups.Root cause
The repository mixes a demo-style hardcoded config path with an environment-based config path instead of enforcing a single runtime secret boundary.
Recommended fix
Acceptance criteria
Suggested labels
Priority
P2 (Medium)
Severity
Medium — the repository encourages secret-in-code operation and inconsistent credential custody.
Confidence
Confirmed — the tracked source constants and their provider usage are explicit.