From 6b3666f3ff2ff1004852e9452dfc617f85463256 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 22 Dec 2025 08:11:50 +0000
Subject: [PATCH] Security fix: Remove sensitive key names from log messages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixed clear-text logging vulnerability (CodeQL alert #71) by removing
secret key names from log messages in secrets validation.

**Alert Details:**
- Alert Number: #71
- Severity: High
- Rule: go/clear-text-logging
- Location: pkg/workflow/secrets_validation.go

**Changes Made:**
- Removed key parameter from log messages in validateSecretsExpression()
- Changed "Invalid secret expression for key %s" to "Invalid secret expression detected"
- Changed "Valid secret expression for key %s" to "Valid secret expression validated"

**Security Rationale:**
While the actual secret VALUES were never logged, CodeQL detected that
secret key NAMES (e.g., "api_token", "deploy_key") from the secretKeys
variable flow through to logging calls. Even key names can be sensitive
as they reveal what secrets an organization uses.

**Testing:**
- All existing tests pass
- Error messages still include the key name for user feedback (via fmt.Errorf)
- Log messages now contain no sensitive information

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 pkg/workflow/secrets_validation.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/workflow/secrets_validation.go b/pkg/workflow/secrets_validation.go
index 7aaacba9fa..28ebdc4116 100644
--- a/pkg/workflow/secrets_validation.go
+++ b/pkg/workflow/secrets_validation.go
@@ -18,9 +18,9 @@ var secretsExpressionPattern = regexp.MustCompile(`^\$\{\{\s*secrets\.[A-Za-z_][
 // Returns an error if the value is not in the format: ${{ secrets.NAME }} or ${{ secrets.NAME || secrets.NAME2 }}
 func validateSecretsExpression(key, value string) error {
 	if !secretsExpressionPattern.MatchString(value) {
-		secretsValidationLog.Printf("Invalid secret expression for key %s", key)
+		secretsValidationLog.Printf("Invalid secret expression detected")
 		return fmt.Errorf("jobs.secrets.%s must be a GitHub Actions expression with secrets reference (e.g., '${{ secrets.MY_SECRET }}' or '${{ secrets.SECRET1 || secrets.SECRET2 }}')", key)
 	}
-	secretsValidationLog.Printf("Valid secret expression for key %s", key)
+	secretsValidationLog.Printf("Valid secret expression validated")
 	return nil
 }