Secret-shaped value written to console/debug output
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
Console.WriteLine, Debug.WriteLine, or Trace.WriteLine prints an argument whose name looks like a password, token, API key, or client secret. Console and debug output routinely end up in log aggregators, crash reports, or CI logs.
Why it matters
Printing a variable whose name reads as a password, token, API key, or client secret to Console, Debug, or Trace output puts that value somewhere it almost certainly should not be: terminal scrollback, a debug log file, or a log aggregator that many people can search. Secrets that leak this way tend to sit in log retention for months, far longer than anyone intended.
How to fix it
Remove the secret from the printed message entirely, or replace it with a redacted placeholder (log that a token was received, not the token itself). If you need the value for local debugging, gate it behind a conditional compilation symbol or a debug-only flag that is never enabled in a deployed environment, and never rely on a person remembering to remove it later.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo