[fix] Redact secret value from validation error messages#917
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intoMay 29, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Redacts secret values from validation error messages stored in SARIF output, preventing leakage via HttpError URLs or UnknownResponseType body prefixes.
Changes:
- Replaced
From<&MatchStatus>impl withSecretValidationStatus::from(status, match_value)taking the matched secret. - Added
redact_secrethelper applied toHttpError.messageandUnknownResponseType.body_prefix. - Updated caller in
scanner.rsto passsds_match.match_value.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| crates/secrets/src/model/secret_result.rs | Adds redaction helper and threads match_value into validation status conversion. |
| crates/secrets/src/scanner.rs | Passes the matched secret value to the new constructor. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
🎯 Code Coverage (details) 🔗 Commit SHA: 64c0f4c | Docs | Datadog PR Page | Give us feedback! |
Validation error messages could include the secret being validated: - HttpError messages from reqwest include the full validation URL, which may contain the secret as a query parameter. - UnknownResponseType messages included body_prefix, which may echo the secret back from the validation endpoint response. Replace the matched secret value with [REDACTED] in both error message types.
MikaYuoadas
force-pushed
the
akim.sadaoui/fix-secrets-validation-error-leak
branch
from
80bb09e to
64c0f4c
Compare
juli1
approved these changes
May 29, 2026
gh-worker-dd-mergequeue-cf854d
Bot
merged commit ec3ed0f
into
main
93 of 108 checks passed
gh-worker-dd-mergequeue-cf854d
Bot
deleted the
akim.sadaoui/fix-secrets-validation-error-leak
branch
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Validation error messages stored in the SARIF output could include the secret being validated:
HttpErrormessages from reqwest include the full validation URL, which may contain the secret as a query parameter.UnknownResponseTypemessages includedbody_prefix(first bytes of the response body), which may echo the secret back from the validation endpoint.Why
Logging these messages verbatim leaks the secret. Even outside of logs, the messages end up in the SARIF
datadogSecretValidationErrorsproperty, which downstream consumers may log or store.How
Added a
redact_secret(message, secret)helper that replaces the matched secret value with[REDACTED]. TheSecretValidationStatus::from(status, secret)constructor now takes the matched value (already available viamatch_valueonRuleMatch) and applies redaction to both error message types before storing them.