Potential fix for code scanning alert no. 1655: Clear-text logging of sensitive information#744
Conversation
… sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
There was a problem hiding this comment.
Sorry @Bryan-Roe, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_f28438ef-e360-40c8-84e1-935700c09c81) |
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_d584fd01-53be-4007-909d-2be79ec1d3be) |
🔐 CodeQL — Open Alerts on this PR
Copilot Autofix suggestions (if enabled) appear as inline review comments on the affected lines. |
Potential fix for https://github.com/Bryan-Roe/Aria/security/code-scanning/1655
To fix this, avoid logging any potentially sensitive derived detail (
names) in clear text. Keep behavior unchanged otherwise: still warn/block based on findings, still include optional file path hint, still return same exit codes.Best single fix in
.github/hooks/scripts/secrets_leak_guard.py:else:near lines 230–235), remove construction and interpolation ofnames.No new imports, methods, or dependencies are needed.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Note
Low Risk
Narrows hook stderr/stdout output only; detection, blocking, and exit semantics are unchanged.
Overview
Addresses code scanning alert #1655 (clear-text logging of sensitive information) in the warn-only path of
.github/hooks/scripts/secrets_leak_guard.py.The hook no longer builds or prints
names(the comma-separated list of matched secret type labels from_scan_content). Warnings stay generic: optional file path hint, same exit codes, and unchanged block vs warn behavior whenARIA_SECRETS_BLOCKis set.Reviewed by Cursor Bugbot for commit ac58800. Bugbot is set up for automated code reviews on this repo. Configure here.