Fix for code scanning alert no. 75: Clear-text logging of sensitive information#5612
Merged
eriknordmark merged 1 commit intomasterfrom Feb 19, 2026
Merged
Fix for code scanning alert no. 75: Clear-text logging of sensitive information#5612eriknordmark merged 1 commit intomasterfrom
eriknordmark merged 1 commit intomasterfrom
Conversation
eriknordmark
commented
Feb 18, 2026
Contributor
Author
eriknordmark
left a comment
eriknordmark
left a comment
There was a problem hiding this comment.
LGTM but @naiming-zededa can you take a look?
Contributor
|
@eriknordmark , you need to Sign-off the commit so DCO can pass.... |
eriknordmark
changed the title
…nformation Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: eriknordmark <erik@zededa.com>
eriknordmark
force-pushed
the
alert-autofix-75
branch
from
8c8e69d to
261e481
Compare
Contributor
Author
@rene Done. |
shjala
approved these changes
Feb 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/lf-edge/eve/security/code-scanning/75
In general, sensitive values such as API keys should never be logged in clear text. If logging is needed for diagnostics, log only non-sensitive metadata (e.g., that a key exists, its length, or a partially redacted version), or omit the field entirely.
For this specific case, the minimal fix without changing behavior elsewhere is to adjust the
fmt.Printfcall on line 587 so that it no longer printsdata.ApiKeydirectly. The rest of the line (datastore type, FQDN, path, and cipher flag) can remain. A safe, low-impact approach is to replace the printed key with either a fixed placeholder (e.g.,<redacted>) or a derived, non-sensitive summary (e.g., length). Since we must not assume any new helper functions or wider context, the simplest fix is to change the format string and arguments so the key is not passed intoPrintfat all and instead a constant placeholder is shown.Concretely, in
pkg/edgeview/src/system.go, in thegetCipherfunction around lines 583–588, modify thefmt.Printfused to print datastore details so that it no longer includesdata.ApiKey. For example, change:to:
No new imports or helper methods are required.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.