Skip to content

Potential fix for code scanning alert no. 2850: Clear-text logging of sensitive information#915

Merged
Bryan-Roe merged 4 commits into
mainfrom
alert-autofix-2850
Jul 11, 2026
Merged

Potential fix for code scanning alert no. 2850: Clear-text logging of sensitive information#915
Bryan-Roe merged 4 commits into
mainfrom
alert-autofix-2850

Conversation

@Bryan-Roe

@Bryan-Roe Bryan-Roe commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Potential fix for https://github.com/Bryan-Roe/Aria/security/code-scanning/2850

To fix clear-text logging risk, do not print findings content (or anything derived from it) in warning/block messages. Keep behavior the same (detect, warn/block, include optional file path), but replace detailed finding names with a non-sensitive summary such as the number of findings.

Best single fix in .github/hooks/scripts/secrets_leak_guard.py:

  • In main() around lines 222–234, replace:
    • secret_hint = f" ({', '.join(findings)})" if findings else ""
  • with:
    • finding_count_hint = f" ({len(findings)} pattern(s))" if findings else ""
  • Update both print f-strings to use finding_count_hint instead of secret_hint.

No new imports or dependencies are required.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.


Note

Low Risk
Logging-only change in a dev hook; detection and exit codes are unchanged and no credentials are written to logs.

Overview
Addresses a code-scanning alert for clear-text logging of sensitive information in .github/hooks/scripts/secrets_leak_guard.py.

When the hook blocks or warns on a possible hardcoded secret, messages no longer include the matched pattern labels from findings (e.g. joined names). They now only add a non-sensitive count: (N pattern(s)), while still optionally including the file path and the same warn/block behavior.

Removed the previous lgtm suppressions on those print lines since the logging path no longer embeds finding details.

Reviewed by Cursor Bugbot for commit b871056. Bugbot is set up for automated code reviews on this repo. Configure here.

… sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 11, 2026 08:13

Copilot AI commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@Bryan-Roe Thanks for sending me some feedback. Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository. The error I am seeing is:

no `copilot-setup-steps` job found in your `copilot-setup-steps.yml` workflow file. Please ensure you have a single job named `copilot-setup-steps`. For more details, see https://gh.io/copilot/actions-setup-steps

Once you or someone with the necessary access fixes the problem, please let me know in a comment and I'll try again. Thanks!

@cursor

cursor Bot commented Jul 11, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_701843f6-7837-4a03-a447-a28ab4c14ed0)

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Prevents secret-pattern labels from appearing in hook warning/block messages.

Changes:

  • Replaces finding names with a pattern count.
  • Preserves paths, exit codes, and warn/block behavior.


path_hint = f" in `{file_path}`" if file_path else ""
secret_hint = f" ({', '.join(findings)})" if findings else "" # lgtm[py/clear-text-logging-sensitive-data]
finding_count_hint = f" ({len(findings)} pattern(s))" if findings else ""
@Bryan-Roe Bryan-Roe marked this pull request as ready for review July 11, 2026 08:15
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@cursor

cursor Bot commented Jul 11, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_9bbebdcc-024b-46f0-ac37-4f9ecc545d96)

Copilot AI review requested due to automatic review settings July 11, 2026 08:17
@Bryan-Roe Bryan-Roe removed the request for review from Copilot July 11, 2026 08:17
Signed-off-by: Bryan <74067792+Bryan-Roe@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 11, 2026 08:20

Copilot AI commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

@Bryan-Roe Thanks for sending me some feedback. Unfortunately, I hit an error while trying to use the custom Copilot setup steps configured for this repository. The error I am seeing is:

no `copilot-setup-steps` job found in your `copilot-setup-steps.yml` workflow file. Please ensure you have a single job named `copilot-setup-steps`. For more details, see https://gh.io/copilot/actions-setup-steps

Once you or someone with the necessary access fixes the problem, please let me know in a comment and I'll try again. Thanks!

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 4 comments.

else:
print(
f"⚠️ SECRETS WARNING: Possible hardcoded secret detected{secret_hint}{path_hint}. " # lgtm[py/clear-text-logging-sensitive-data]
f"⚠️ SECRETS WARNING: Possible hardcoded secret detected{finding_count_hint}{path_hint}. "
Comment thread .changed_files.txt Outdated
Comment on lines 1 to 3
.github/hooks/scripts/secrets_leak_guard.py
.github/instructions/agi-provider.instructions.md
.github/instructions/ai-skills.instructions.md
Comment thread .changed_py.txt
.github/hooks/scripts/quantum_cost_gate.py
.github/hooks/scripts/requirements_security_gate.py
.github/hooks/scripts/scope_drift_guard.py
.github/hooks/scripts/secrets_leak_guard.py
Comment thread .changed_js_like.txt Outdated
web/monetization/sk-process-framework/dotnet/ProductDocumentation/README.md
web/monetization/sk-process-framework/dotnet/ProductDocumentation/product-documentation.process.yaml
web/monetization/subscription-success.html
## GitHub Copilot Chat.md
Copilot AI review requested due to automatic review settings July 11, 2026 08:25
@Bryan-Roe Bryan-Roe removed the request for review from Copilot July 11, 2026 08:25
@Bryan-Roe Bryan-Roe merged commit 79f742f into main Jul 11, 2026
2 of 8 checks passed
@Bryan-Roe Bryan-Roe deleted the alert-autofix-2850 branch July 11, 2026 08:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants