Potential fix for code scanning alert no. 2850: Clear-text logging of sensitive information#915
Conversation
… sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
|
@Bryan-Roe Thanks for sending me some feedback. Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository. The error I am seeing is: Once you or someone with the necessary access fixes the problem, please let me know in a comment and I'll try again. Thanks! |
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_701843f6-7837-4a03-a447-a28ab4c14ed0) |
|
|
||
| path_hint = f" in `{file_path}`" if file_path else "" | ||
| secret_hint = f" ({', '.join(findings)})" if findings else "" # lgtm[py/clear-text-logging-sensitive-data] | ||
| finding_count_hint = f" ({len(findings)} pattern(s))" if findings else "" |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_9bbebdcc-024b-46f0-ac37-4f9ecc545d96) |
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
|
@Bryan-Roe Thanks for sending me some feedback. Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository. The error I am seeing is: Once you or someone with the necessary access fixes the problem, please let me know in a comment and I'll try again. Thanks! |
| else: | ||
| print( | ||
| f"⚠️ SECRETS WARNING: Possible hardcoded secret detected{secret_hint}{path_hint}. " # lgtm[py/clear-text-logging-sensitive-data] | ||
| f"⚠️ SECRETS WARNING: Possible hardcoded secret detected{finding_count_hint}{path_hint}. " |
| .github/hooks/scripts/secrets_leak_guard.py | ||
| .github/instructions/agi-provider.instructions.md | ||
| .github/instructions/ai-skills.instructions.md |
| .github/hooks/scripts/quantum_cost_gate.py | ||
| .github/hooks/scripts/requirements_security_gate.py | ||
| .github/hooks/scripts/scope_drift_guard.py | ||
| .github/hooks/scripts/secrets_leak_guard.py |
| web/monetization/sk-process-framework/dotnet/ProductDocumentation/README.md | ||
| web/monetization/sk-process-framework/dotnet/ProductDocumentation/product-documentation.process.yaml | ||
| web/monetization/subscription-success.html | ||
| ## GitHub Copilot Chat.md |
Potential fix for https://github.com/Bryan-Roe/Aria/security/code-scanning/2850
To fix clear-text logging risk, do not print
findingscontent (or anything derived from it) in warning/block messages. Keep behavior the same (detect, warn/block, include optional file path), but replace detailed finding names with a non-sensitive summary such as the number of findings.Best single fix in
.github/hooks/scripts/secrets_leak_guard.py:main()around lines 222–234, replace:secret_hint = f" ({', '.join(findings)})" if findings else ""finding_count_hint = f" ({len(findings)} pattern(s))" if findings else ""finding_count_hintinstead ofsecret_hint.No new imports or dependencies are required.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Note
Low Risk
Logging-only change in a dev hook; detection and exit codes are unchanged and no credentials are written to logs.
Overview
Addresses a code-scanning alert for clear-text logging of sensitive information in
.github/hooks/scripts/secrets_leak_guard.py.When the hook blocks or warns on a possible hardcoded secret, messages no longer include the matched pattern labels from
findings(e.g. joined names). They now only add a non-sensitive count:(N pattern(s)), while still optionally including the file path and the same warn/block behavior.Removed the previous
lgtmsuppressions on those print lines since the logging path no longer embeds finding details.Reviewed by Cursor Bugbot for commit b871056. Bugbot is set up for automated code reviews on this repo. Configure here.