What
semgrep python-logger-credential-disclosure rule flagged 6 logger calls in:
api/routers/credentials.py:66, 88, 104, 129, 145api/routers/blockchain.py:96
The rule fires on any logger format string containing "Credential" — semgrep can't tell whether the %s arguments include credential bodies or just IDs.
What to do
For each line:
- Confirm the
%s / {} arguments only log entity IDs, error types, or user-facing error messages — NOT the credential value, signature, or private key.
- If safe → add
# nosemgrep: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure with a one-line rationale.
- If unsafe (logging the body) → strip the value, log only the ID + error type.
Source
Owner-self code audit on 2026-05-04. Report: ~/recon/code-audit-2026-05-04/SOURCE-AUDIT-REPORT.md Section 2.
What
semgrep
python-logger-credential-disclosurerule flagged 6 logger calls in:api/routers/credentials.py:66, 88, 104, 129, 145api/routers/blockchain.py:96The rule fires on any logger format string containing "Credential" — semgrep can't tell whether the
%sarguments include credential bodies or just IDs.What to do
For each line:
%s/{}arguments only log entity IDs, error types, or user-facing error messages — NOT the credential value, signature, or private key.# nosemgrep: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosurewith a one-line rationale.Source
Owner-self code audit on 2026-05-04. Report:
~/recon/code-audit-2026-05-04/SOURCE-AUDIT-REPORT.mdSection 2.