Add Logger with inspect security check #1069
Conversation
epinault
force-pushed
the
epinault/add-logwithinspect-check
branch
from
1476c8b
to
91f2b38
Compare
|
I don't think this is a good check to include in Credo. Why would using |
|
So this not the first company I work for where people log and inspect out of convenience a map or a config. (like kafka config and leaking Kafka Creds forgetting it s in there) Change the map(often params) later on, and then leak PII (like inspect params for a user to debug something in prod) or password accidentally. Things can also get missed in a code review, hence why credo is awesome for that. So flagging help potentially someone to not leak secure creds or PII. When those data are leaked, that becomes a big legal problem to deal with. While this might not seem useful to you, I am sure it will be for other as it s too easy to shoot yourself in the foot or want some form of safety. And would be best to be part of Credo and centralize it rather than having to have a CredoExtraCheck package as people can choose to use it or not? |
|
by the way, even if you don't want to merge this, is that the right approach? or is there a better way to do what I am trying to achieve? |
|
closing this since seems like it won t be merged |
This allows to flag logger calls with inspect in it. I am not sure if I am doing the correct way to navigate the AST but that seem to work and is fast