Skip to content

feat: B622 — Detect logging/printing of sensitive information#1386

Closed
CyberRaccoonTeam wants to merge 2 commits into
PyCQA:mainfrom
CyberRaccoonTeam:feat/b622-sensitive-logging
Closed

feat: B622 — Detect logging/printing of sensitive information#1386
CyberRaccoonTeam wants to merge 2 commits into
PyCQA:mainfrom
CyberRaccoonTeam:feat/b622-sensitive-logging

Conversation

@CyberRaccoonTeam
Copy link
Copy Markdown

@CyberRaccoonTeam CyberRaccoonTeam commented Apr 12, 2026

Summary

Implements #1371 — adds a new Bandit plugin that detects when sensitive information is passed to logging or print calls.

What it detects

Flags calls to logging.*, print(), and pprint.* where arguments contain variable names associated with secrets:

  • password, passwd, pwd, passphrase
  • secret, api_key, apikey, api_secret, client_secret
  • token, auth_token, bearer
  • private_key, access_key, secret_key, signing_key
  • credential, database_url, db_password, encryption_key

What it does NOT flag (false positive avoidance)

  • username, user_name, total_count, elapsed, etc.
  • Generic print/logging with non-sensitive variables
  • Format strings without sensitive arguments

Test results

10 true positives detected
0 false positives on safe code

Example

# ❌ Flagged
logging.debug("Password: %s", password)
print(f"Token: {auth_token}")
logging.info("Key: %s" % private_key)

# ✅ Not flagged
logging.debug("User logged in: %s", username)
print("Hello world")
logging.info("Request completed in %s seconds", elapsed)

Files changed

  • bandit/plugins/logging_sensitive_info.py — New plugin (155 lines)
  • examples/sensitive_logging.py — Test cases
  • setup.cfg — Plugin registration

Closes #1371

feat: add B622 plugin to detect logging of sensitive information
9f18bef 
Implements #1371 — flags when sensitive variable names (password, token,
api_key, private_key, etc.) are passed to logging calls or print().

Detection covers:
- logging.debug/info/warning/error calls
- print() and pprint.pprint()
- f-string interpolation with sensitive vars
- keyword arguments with sensitive names

10 test cases, 0 false positives on safe code (username, count, etc).

CWE: CLEARTEXT_TRANSMISSION (CWE-319)
@CyberRaccoonTeam CyberRaccoonTeam closed this by deleting the head repository Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericwb ericwb Awaiting requested review from ericwb ericwb is a code owner

@lukehinds lukehinds Awaiting requested review from lukehinds lukehinds is a code owner

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24 sigmavirus24 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Flag logging/printing of likely sensitive information

1 participant

@CyberRaccoonTeam