codeql False positive: Env var is from config, not vault, and contains the name of another env var

False positive: Env var is from config, not vault, and contains the name of another env var

Open CleanCut opened this issue 5 months ago • 0 comments

trafficstars

Description of the false positive

This flagged for outputting the value of an environment variable to logs. Generally, that could be a problem. In this case, the env var clearly contained the name of another env var to look in for the secret. Is there a way to not flag in this situation? For example, could we determine that this environment variable came from a k8s env var (where secrets are not allowed) as opposed to from vault?

Code samples or links to source code

https://github.com/github/blackbird/blob/d5fc30382331e6f5cd03c7f8695afadeeb631075/crates/config/src/embeddings.rs#L76-L79

URL to the alert on GitHub code scanning (optional)

https://github.com/github/blackbird/security/code-scanning/5068

Jun 05 '25 17:06 CleanCut

codeql codeql copied to clipboard

False positive: Env var is from config, not vault, and contains the name of another env var

codeql
codeql copied to clipboard