Skip to content

Commit 1a44e72

Browse files
committed
fix: resolve clear-text logging of sensitive data (CodeQL py/clear-text-logging-sensitive-data)
Store only file path and line number as tuples instead of retaining secret content. This prevents sensitive data from being logged or stored in memory.
1 parent 00188dd commit 1a44e72

1 file changed

Lines changed: 5 additions & 5 deletions

File tree

dev-tools/security/detect_secrets.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,17 +48,17 @@ def detect_secrets(source_dir: str = "src") -> bool:
4848
for _match in matches:
4949
# Check if this is an exception
5050
if not any(exc in line for exc in exceptions):
51-
found_secrets.append(f"{py_file}:{line_num}: {line.strip()}")
51+
# Store only file path and line number to avoid retaining secret content
52+
found_secrets.append((str(py_file), line_num))
5253

5354
except Exception as e:
5455
logger.warning(f"Could not read {py_file}: {e}")
5556

5657
if found_secrets:
5758
logger.error("Potential hardcoded secrets found:")
58-
for secret in found_secrets:
59-
# Security: Don't log the actual secret content, only the location
60-
location = secret.split(":")[0] if ":" in secret else "unknown location"
61-
logger.error(f" Secret detected at: {location}")
59+
for file_path, line_number in found_secrets:
60+
# Security: Log only file and line number, never the actual secret content
61+
logger.error(f" Secret detected at: {file_path}:{line_number}")
6262
return False
6363
else:
6464
logger.info("No hardcoded secrets detected")

0 commit comments

Comments
 (0)