This rule is deprecated, and will eventually be removed.

Some logging frameworks can be configured to mask or filter confidential data from log output, but this protection must be explicitly enabled.

Why is this an issue?

When confidential information such as passwords, credit card numbers, or other sensitive user data is included in log output, it becomes accessible to anyone with access to the logs. In production environments, logs are often centralized in SIEM or Big Data repositories, significantly widening the exposure. This rule raises an issue when a logging framework such as Signale is initialized without defining a list of secrets to mask.

What is the potential impact?

Exposure of sensitive data

Log files containing confidential information may be accessed by system administrators, third-party log processors, or attackers who gain read access to log storage. This can result in the unauthorized disclosure of personal data, passwords, or payment information, leading to regulatory violations under GDPR, PCI DSS, or similar frameworks.

How to fix it

Code examples

The following code is vulnerable because the Signale logger is initialized with an empty secrets list, meaning no confidential data will be masked in log output.

Noncompliant code example

const { Signale } = require('signale');

const CREDIT_CARD_NUMBERS = fetchFromWebForm()
// here we suppose the credit card numbers are retrieved somewhere and CREDIT_CARD_NUMBERS looks like ["1234-5678-0000-9999", "1234-5678-0000-8888"]; for instance

const options = {
  secrets: []         // empty list of secrets
};

const logger = new Signale(options); // Noncompliant

CREDIT_CARD_NUMBERS.forEach(function(CREDIT_CARD_NUMBER) {
  logger.log('The customer ordered products with the credit card number = %s', CREDIT_CARD_NUMBER);
});

Compliant solution

const { Signale } = require('signale');

const CREDIT_CARD_NUMBERS = fetchFromWebForm()
// here we suppose the credit card numbers are retrieved somewhere and CREDIT_CARD_NUMBERS looks like ["1234-5678-0000-9999", "1234-5678-0000-8888"]; for instance

const options = {
  secrets: ["([0-9]{4}-?)+"]
};

const logger = new Signale(options);

CREDIT_CARD_NUMBERS.forEach(function(CREDIT_CARD_NUMBER) {
  logger.log('The customer ordered products with the credit card number = %s', CREDIT_CARD_NUMBER);
});

Resources

Standards

• OWASP - Top 10 2021 Category A9 - Security Logging and Monitoring Failures
• CWE - CWE-532 - Insertion of Sensitive Information into Log File
• OWASP - Top 10 2017 Category A3 - Sensitive Data Exposure