Skip to content

Commit ba1a275

Browse files
committed
fix: properly extract only file:line from secret findings to prevent clear-text logging
1 parent fe79afd commit ba1a275

1 file changed

Lines changed: 9 additions & 4 deletions

File tree

dev-tools/security/detect_secrets.py

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -55,10 +55,15 @@ def detect_secrets(source_dir: str = "src") -> bool:
5555

5656
if found_secrets:
5757
logger.error("Potential hardcoded secrets found:")
58-
for secret_finding in found_secrets:
59-
# Security: Don't log the actual secret content, only the location
60-
location = secret_finding.split(":")[0] if ":" in secret_finding else "unknown location"
61-
logger.error(f" Secret detected at: {location}")
58+
for finding in found_secrets:
59+
# Security: Extract only file and line number, never log the actual secret content
60+
parts = finding.split(":", 2) # Split into file, line, content
61+
if len(parts) >= 2:
62+
file_path = parts[0]
63+
line_number = parts[1]
64+
logger.error(f" Secret detected at: {file_path}:{line_number}")
65+
else:
66+
logger.error(f" Secret detected at: {finding.split(':')[0]}")
6267
return False
6368
else:
6469
logger.info("No hardcoded secrets detected")

0 commit comments

Comments
 (0)