[tmlb]

I've worked on a service that handled credentials where we added tests like this to try to catch if a log statement gets added containing the username/password. We used a few end to end tests rather than attempting to include something like this is the unit tests for every function.

Our tests would set up the app's full context, get a hook into the logging framework to watch for log statements, then make requests to the service containing a set of dummy credentials, like { username: "foo", password: "bar" }. If a log statement containing "foo" or "bar" was detected the test failed.

It's not going to catch every type of issue, but at least some potential footguns can be preventing this way.

[willcipriano]

That gives me an idea. Create a decorator or otherwise wrap the logging function as you build the apps test context, and feed it a list of sensitive strings you want to detect. Then each time as logger is called have it assert that all those strings are not within the log message.

This way it would blow up on the test that is leaking the credential so you could track it right down and it would transparently apply to all current and future unit tests without any more effort.