Password value logged
Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A print/log call includes a password-named field. Logging destinations are typically retained longer and read by more people than the database the password belongs to.
Why it matters
Password values written to application logs end up in whatever log aggregator, error tracker, or file storage collects them, often with weaker access control than the database itself. Anyone with log access, including third-party log vendors and support staff, can then read live user passwords. This is a common way plaintext credentials leak outside the hashing layer that was supposed to protect them.
How to fix it
Remove the password field from the log call, or replace it with a fixed redaction string like '[REDACTED]'. If the log line only needs to confirm a request happened, log a non-sensitive identifier such as the user id instead. Add the field to your logging library's redaction/scrubbing list so a future log call cannot reintroduce it by accident.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo