Add rule to check for getting sensitive data from environment variable

[ericwb]

Is your feature request related to a problem? Please describe.
Check calls to os.getenv or os.environ to read sensitive data such as passwords or other secrets from environment variables

Describe the solution you'd like
As described in the CLI standard:

Do not read secrets from environment variables. While environment variables may be convenient for storing secrets, they have proven too prone to leakage:

• Exported environment variables are sent to every process, and from there can easily leak into logs or be exfiltrated
• Shell substitutions like curl -H "Authorization: Bearer $BEARER_TOKEN" will leak into globally-readable process state. (cURL offers the -H @filename alternative for reading sensitive headers from a file.)
• Docker container environment variables can be viewed by anyone with Docker daemon access via docker inspect
• Environment variables in systemd units are globally readable via systemctl show

Secrets should only be accepted via credential files, pipes, AF_UNIX sockets, secret management services, or another IPC mechanism.

For example:
https://github.com/openai/openai-python?tab=readme-ov-file#async-usage

Describe alternatives you've considered
n/a

Additional context

• https://docs.python.org/3/library/os.html#os.environ
• https://docs.python.org/3/library/os.html#os.putenv
• https://clig.dev/#environment-variables
• https://github.com/theskumar/python-dotenv
• https://dev.to/jakewitcher/using-env-files-for-environment-variables-in-python-applications-55a1

Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.