Using environment variables is security-sensitive. For example, their use has led in the past to the following vulnerabilities:

Environment variables are sensitive to injection attacks, just like any other input.

Note also that environment variables can be exposed in multiple ways, storing sensitive information in them should be done carefully:

This rule raises an issue when environment variables are read.

Ask Yourself Whether

You are at risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Sanitize every environment variable before using its value.

If you store sensitive information in an environment variable, make sure that no other process can access them, i.e. the process runs with a separate user account and child processes don't have access to their parent's environment.

Don't run your application in debug mode if it has access to sensitive information, including environment variables.

Sensitive Code Example

public class Main {
    public static void main (String[] args) {
        System.getenv();  // Sensitive
        System.getenv("myvar");  // Sensitive

        ProcessBuilder processBuilder = new ProcessBuilder();
        Map<String, String> environment = processBuilder.environment();  // Sensitive
        environment.put("VAR", "value");

        Runtime.getRuntime().exec("ping", new String[]{"env=val"});   // Sensitive
    }
}

See

Deprecated

This rule is deprecated, and will eventually be removed.