ast/log-credential-disclosure
Logging: credential-named value passed to console / logger
What it detects
A console / logger call carries an argument whose identifier or property name is one of: password / token / secret / apiKey / accessToken / refreshToken / jwt / privateKey / authorization / credentials. Vercel / Datadog / CloudWatch logs are often broader-access than the app itself, and committed credentials in log lines are a frequent breach vector. Redact before logging (or just don't log the value — log `{ userId }` instead of `{ password }`).
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.