Conversation
Fixed clear-text logging vulnerability (CodeQL alert #71) by removing secret key names from log messages in secrets validation. **Alert Details:** - Alert Number: #71 - Severity: High - Rule: go/clear-text-logging - Location: pkg/workflow/secrets_validation.go **Changes Made:** - Removed key parameter from log messages in validateSecretsExpression() - Changed "Invalid secret expression for key %s" to "Invalid secret expression detected" - Changed "Valid secret expression for key %s" to "Valid secret expression validated" **Security Rationale:** While the actual secret VALUES were never logged, CodeQL detected that secret key NAMES (e.g., "api_token", "deploy_key") from the secretKeys variable flow through to logging calls. Even key names can be sensitive as they reveal what secrets an organization uses. **Testing:** - All existing tests pass - Error messages still include the key name for user feedback (via fmt.Errorf) - Log messages now contain no sensitive information 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
pelikhan
approved these changes
Dec 22, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix: Clear-Text Logging of Sensitive Information
Alert Number: #71
Severity: High
Rule: go/clear-text-logging
CWE: CWE-312, CWE-315, CWE-359
Vulnerability Description
CodeQL detected a security vulnerability where sensitive data (secret key names) from the
secretKeysvariable flows through to logging calls in the secrets validation function. While actual secret VALUES were never logged, secret key NAMES (such as "api_token", "deploy_key", "database_password") were being included in log messages, which can expose information about an organization's security infrastructure.Data Flow Path:
secretKeysvariable inpkg/workflow/jobs.go:328contains secret key namespkg/workflow/compiler_jobs.go:389viavalidateSecretsExpression(key, value)keyparameter was logged atpkg/workflow/secrets_validation.go:21and:24pkg/cli/compile_orchestrator.go:586where they're printed as JSONFix Applied
Removed secret key names from log messages in the
validateSecretsExpression()function:Before:
After:
Security Best Practices Applied
fmt.Errorf) for debugging, but logs do notTesting Considerations
✅ All existing tests pass, including:
TestValidateSecretsExpression- Core validation logicTestValidateSecretsExpressionErrorMessages- Verifies sensitive data NOT in errorsTestJobsSecretsValidation- End-to-end workflow compilation with secrets✅ Error messages still functional: Users still see helpful error messages with key names via the returned error, just not in logs
✅ No breaking changes: This is a surgical fix that only affects internal logging, not API or user-facing behavior
Impact
This fix eliminates the clear-text logging vulnerability while maintaining all existing functionality. The change is minimal and focused, affecting only two log statements in the secrets validation function.