Will It Vibe logoWill It Vibe?
PRIVACY-002Medium severity-8 points

Auth secret or token value logged

Part of Documentation, UX & Accessibility, which counts for 15% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A print/log call includes an API key, secret, or token-named field. Unlike a password these credentials usually cannot be re-hashed after a leak, only revoked and reissued.

Why it matters

Logging an API key, access token, or client secret puts a live credential into log storage, which is usually retained for weeks and often shipped to a third-party log or observability vendor. Anyone who can search those logs, including support staff debugging an unrelated ticket, can lift the credential and use it directly. Unlike a password, most of these credentials cannot be re-hashed after the fact, so the only fix once one leaks is to revoke and reissue it.

How to fix it

Remove the token/key/secret value from the log call and log a non-sensitive marker instead, such as a truncated last-4 or a boolean indicating whether it was present. Configure your logging library to redact fields named token, secret, and apiKey by default so future call sites are protected automatically. Rotate any credential that has already been logged, since it must be treated as exposed.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Documentation, UX & Accessibility checks