LowFile-scopePython Plug & play

Replace hardcoded paths with configuration

Derive paths/URLs from configuration or environment variables, not string literals in code.

Why this matters

Enables environment-specific deployments and safer secrets management.

Side-by-side examples engineers can pattern-match during review.

Avoid

DATA_DIR = '/var/app/data'

Prefer

import os
DATA_DIR = os.environ.get('DATA_DIR', '/tmp/app-data')

Bad

BASE_URL = 'https://prod.example.com'

Good

BASE_URL = os.environ['BASE_URL']

From the same buckets as this rule.

High
Add explicit environment variable checks
Validate required runtime env vars at container start via an entrypoint script; exit with a clear message on missing values.
config-environmentcontainer-docker-hygiene+1
High
Encrypt PII at rest using application-layer crypto
Encrypt sensitive columns (e.g., email, phone) with managed keys; ensure DB connection enforces TLS. Store only ciphertext; compare via deterministic token/hashes when needed. (GDPR Art. 32)
compliance-gdprsecurity-hardening+1
High
Enforce retention with explicit TTL per data category
PII tables must include an expires_at (or retention_policy) column and a scheduled deletion/archival job aligned to data category. No indefinite retention. (GDPR Art. 5(1)(e))
compliance-gdprprivacy-pii+2