Will It Vibe logoWill It Vibe?
PRIVACY-001Medium severity-8 points

Password value logged

Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A print/log call includes a password-named field. Logging destinations are typically retained longer and read by more people than the database the password belongs to.

Why it matters

Password values written to application logs end up in whatever log aggregator, error tracker, or file storage collects them, often with weaker access control than the database itself. Anyone with log access, including third-party log vendors and support staff, can then read live user passwords. This is a common way plaintext credentials leak outside the hashing layer that was supposed to protect them.

How to fix it

Remove the password field from the log call, or replace it with a fixed redaction string like '[REDACTED]'. If the log line only needs to confirm a request happened, log a non-sensitive identifier such as the user id instead. Add the field to your logging library's redaction/scrubbing list so a future log call cannot reintroduce it by accident.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Documentation, UX & Accessibility checks