Was just reviewing our logs and noticed that the logs for the tuning service include full database credentials.
This is a problem because our logs are centralized and it is causing us to leak credentials.
It would be better if credentials were sanitized for logging purposes to avoid security incidents.
The logs containing credentials are specifcally the "insert statement" logs, but there may be otheres.
{
"eventTime": "2026-04-10T01:45:38.082Z",
"eventName": "log",
"eventType": "Code Related",
"eventAudience": "Internal",
"eventAudienceTeam": "",
"eventFrequency": "",
"eventLogLevel": "info",
"eventSource": {
"fogId": "",
"fogType": "",
"eventTraceId": "",
"tenantId": "d62213d2-7dda-4b14-9003-b0a407809f91",
"agentId": "",
"eventSpanId": "",
"codeLabel": "",
"issuingFunction": "openappsec.io/smartsync-tuning/internal/pkg/query.(*Adapter).InsertLog",
"issuingFile": "/app/internal/pkg/query/datatube.go",
"issuingLine": "744",
"eventId": "",
"callingService": ""
},
"eventData": {
"stateKey": "",
"eventMessage": "insert statement: INSERT INTO appsec (issuingengineversion, eventaudienceteam, serviceid, eventseverity, eventfrequency, servicename, eventtags, eventaudience, eventpriority, eventloglevel, issuingengine, eventtype, eventlevel, agentid, eventtime, eventname) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16);, db name: postgres://waftuning:**[REDACTED]**@**[REDACTED]**.rds.amazonaws.com:5432/i2datatubeschemasecurityeventlogsv03?sslmode=require",
"messageData": {}
},
"eventTags": [],
"eventPriority": "Medium",
"eventSeverity": "Info"
}
Was just reviewing our logs and noticed that the logs for the tuning service include full database credentials.
This is a problem because our logs are centralized and it is causing us to leak credentials.
It would be better if credentials were sanitized for logging purposes to avoid security incidents.
The logs containing credentials are specifcally the "insert statement" logs, but there may be otheres.