Skip to content

Commit aa25451

Browse files
committed
fix: store only file path and line number as tuples to prevent secret content retention
1 parent ba1a275 commit aa25451

1 file changed

Lines changed: 5 additions & 10 deletions

File tree

dev-tools/security/detect_secrets.py

Lines changed: 5 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -48,22 +48,17 @@ def detect_secrets(source_dir: str = "src") -> bool:
4848
for _match in matches:
4949
# Check if this is an exception
5050
if not any(exc in line for exc in exceptions):
51-
found_secrets.append(f"{py_file}:{line_num}: {line.strip()}")
51+
# Store only file path and line number to avoid retaining secret content
52+
found_secrets.append((str(py_file), line_num))
5253

5354
except Exception as e:
5455
logger.warning(f"Could not read {py_file}: {e}")
5556

5657
if found_secrets:
5758
logger.error("Potential hardcoded secrets found:")
58-
for finding in found_secrets:
59-
# Security: Extract only file and line number, never log the actual secret content
60-
parts = finding.split(":", 2) # Split into file, line, content
61-
if len(parts) >= 2:
62-
file_path = parts[0]
63-
line_number = parts[1]
64-
logger.error(f" Secret detected at: {file_path}:{line_number}")
65-
else:
66-
logger.error(f" Secret detected at: {finding.split(':')[0]}")
59+
for file_path, line_number in found_secrets:
60+
# Security: Log only file and line number, never the actual secret content
61+
logger.error(f" Secret detected at: {file_path}:{line_number}")
6762
return False
6863
else:
6964
logger.info("No hardcoded secrets detected")

0 commit comments

Comments
 (0)