Skip to content

False positive: Env var is from config, not vault, and contains the name of another env var #19681

New issue
New issue
Open
Open
False positive: Env var is from config, not vault, and contains the name of another env var#19681
Labels
false-positive
@CleanCut

Description

@CleanCut
CleanCut
opened on Jun 5, 2025

Description of the false positive

This flagged for outputting the value of an environment variable to logs. Generally, that could be a problem. In this case, the env var clearly contained the name of another env var to look in for the secret. Is there a way to not flag in this situation? For example, could we determine that this environment variable came from a k8s env var (where secrets are not allowed) as opposed to from vault?

Code samples or links to source code

https://github.com/github/blackbird/blob/d5fc30382331e6f5cd03c7f8695afadeeb631075/crates/config/src/embeddings.rs#L76-L79

URL to the alert on GitHub code scanning (optional)

https://github.com/github/blackbird/security/code-scanning/5068

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions