Prompt
Never log or store sensitive information (passwords, tokens, secrets) in clear text. This common security vulnerability can lead to credential leaks and unauthorized access.
When logging:
- Remove sensitive data from logs entirely
- If logging is necessary, hash or mask the sensitive values
- Use specialized logging frameworks that automatically redact sensitive fields
For example, instead of:
logging.info(f"cloning {git_url} to {clone_dir}") # git_url may contain credentials
Use:
# Extract and mask sensitive parts
safe_url = git_url if '@' not in git_url else git_url.split('@')[1]
logging.info(f"cloning {safe_url} to {clone_dir}")
When handling secrets:
- Never store secrets in clear text variables
- Use environment variables or dedicated secret management services
- Implement proper filtering for references to vault secrets
- Add validation to prevent accidental logging of secrets
Remember that exposing sensitive data in logs is a common finding in security audits and can lead to significant security breaches. Consistently audit your code for instances of clear-text logging or storage of sensitive information.