Will It Vibe logoWill It Vibe?
GHA-015Medium severity-8 points

Secret printed to the build log

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A run step echoes or prints a value read from the secrets context. GitHub masks known secret strings in logs, but printing them invites transformed variants (base64, url-encoding) that defeat masking, and logs are visible to anyone with read access.

Why it matters

Echoing a secret to the log is risky even though GitHub masks known secret strings. Masking only matches the exact value, so a transformed version (base64-encoded, split, url-encoded) prints in the clear, and build logs are visible to everyone with read access and are retained. A secret that reaches stdout should be considered potentially exposed.

How to fix it

Do not print secrets. For debugging, log a boolean like "token is set" derived from whether the variable is non-empty, never the value. Pass secrets to tools through environment variables or stdin rather than command lines, and rely on the tool rather than echo.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks