1111logger = logging .getLogger (__name__ )
1212
1313
14- def detect_secrets (source_dir : str = "src" ) -> bool :
14+ def detect_credentials (source_dir : str = "src" ) -> bool :
1515 """Detect potential hardcoded secrets in Python files."""
1616
1717 # Pattern to match potential secrets
@@ -36,39 +36,38 @@ def detect_secrets(source_dir: str = "src") -> bool:
3636 logger .error (f"Source directory '{ source_dir } ' not found" )
3737 return False
3838
39- found_secrets = []
39+ found_issues = []
4040
4141 for py_file in source_path .rglob ("*.py" ):
4242 try :
4343 with open (py_file , encoding = "utf-8" ) as f :
4444 content = f .read ()
4545
4646 for line_num , line in enumerate (content .split ("\n " ), 1 ):
47- matches = secret_pattern . findall ( line )
48- for _match in matches :
47+ # Check if line contains potential secrets without storing the match content
48+ if secret_pattern . search ( line ) :
4949 # Check if this is an exception
5050 if not any (exc in line for exc in exceptions ):
51- found_secrets .append (f"{ py_file } :{ line_num } : { line .strip ()} " )
51+ # Store only file path and line number to avoid retaining credential content
52+ found_issues .append ((str (py_file ), line_num ))
5253
5354 except Exception as e :
5455 logger .warning (f"Could not read { py_file } : { e } " )
5556
56- if found_secrets :
57- logger .error ("Potential hardcoded secrets found:" )
58- for secret in found_secrets :
59- # Security: Don't log the actual secret content, only the location
60- logger .error (
61- f" Secret detected at: { secret .split (':' )[0 ] if ':' in secret else 'unknown location' } "
62- )
57+ if found_issues :
58+ logger .error ("Potential hardcoded credentials found:" )
59+ for file_path , line_number in found_issues :
60+ # Security: Log only file and line number, never the actual credential content
61+ logger .error (f" Issue detected at: { file_path } :{ line_number } " )
6362 return False
6463 else :
65- logger .info ("No hardcoded secrets detected" )
64+ logger .info ("No hardcoded credentials detected" )
6665 return True
6766
6867
6968def main ():
7069 """Main function."""
71- if not detect_secrets ():
70+ if not detect_credentials ():
7271 sys .exit (1 )
7372 sys .exit (0 )
7473
0 commit comments