openai_api_key false positive

[iportilla]

Describe the bug
A clear and concise description of what the bug is.
scan this sample code
To Reproduce
from flask import Flask, request, jsonify
import openai
import datetime

app = Flask(name)
openai.api_key = "sk-123456789" # Hardcoded key

@app.route("/chat", methods=["POST"])
def chat():
user_input = request.json.get("message", "")
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[{"role": "user", "content": user_input}],
)
return jsonify({"response": response["choices"][0]["message"]["content"]})

Expected behavior
openai.api_key = "sk-123456789" # Hardcoded key

Screenshots
If applicable, add screenshots to help explain your problem.

What is the priority of the bug to you?

• P0: blocking your adoption of Semgrep or workflow
• P1: important to fix or quite annoying
• P2: regular bug that should get fixed

Environment
If not using semgrep.dev: are you running off docker, an official binary, a local build?

Use case
What will fixing this bug enable for you?

[ievans]

For reproduction purposes, what command did you use to scan the sample code?

[iportilla]

semgrep scan, but I was told that my license does not include secrets

[LewisArdern]

If you are not a secrets paying customer you can enable the gitleaks ruleset which has some coverage https://semgrep.dev/p/gitleaks but its outdated and does not cover the new syntax i believe for openai. PRs are welcome at https://github.com/semgrep/semgrep-rules -> https://github.com/semgrep/semgrep-rules/blob/f672cf35912e81b4f57265ab664942bf8f8b6e57/generic/secrets/gitleaks/openai-api-key.yaml