Never log or store sensitive information (passwords, tokens, secrets) in clear text. This common security vulnerability can lead to credential leaks and unauthorized access.

When logging:

Remove sensitive data from logs entirely
If logging is necessary, hash or mask the sensitive values
Use specialized logging frameworks that automatically redact sensitive fields

For example, instead of:

logging.info(f"cloning {git_url} to {clone_dir}")  # git_url may contain credentials

Use:

# Extract and mask sensitive parts
safe_url = git_url if '@' not in git_url else git_url.split('@')[1]  
logging.info(f"cloning {safe_url} to {clone_dir}")

When handling secrets:

Never store secrets in clear text variables
Use environment variables or dedicated secret management services
Implement proper filtering for references to vault secrets
Add validation to prevent accidental logging of secrets

Remember that exposing sensitive data in logs is a common finding in security audits and can lead to significant security breaches. Consistently audit your code for instances of clear-text logging or storage of sensitive information.

Add Repository

Private Repository