# Sensitive Data in Logging

- ID: python-sensitive-data-logging
- Severity: HIGH
- CWE: Information Exposure Through Logs (CWE-532)
- Languages: Python

## Description

Detects logging of sensitive data like passwords, API keys, tokens, credit
cards, or authentication credentials. Logged sensitive data can be exposed
through log files, monitoring systems, or error tracking services.

## Remediation

Redact sensitive fields before logging; log actions and usernames, not credentials.

```python
import logging

logger = logging.getLogger(__name__)

SENSITIVE = {'password', 'token', 'api_key', 'secret'}

def sanitize(data):
    return {k: '***' if k in SENSITIVE else v for k, v in data.items()}

def login(username, password):
    logger.info(f"Login attempt for: {username}")  # Log username, not password
    authenticate(username, password)
```

Learn more: https://shoulder.dev/learn/python/cwe-532/sensitive-data-logging

## Documentation

[object Object]

## Related Rules

- **Logging Sensitive Data** [MEDIUM]: 
- **Sensitive Data Exposure in Logs** [MEDIUM]: