The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:

Prevent PII in console logs

Error Message Format

The rule provides LLM-optimized error messages (Compact 2-line format) with actionable security guidance:

⚠️ CWE-532 OWASP:A09 CVSS:5.3 | Log Information Exposure detected | MEDIUM [GDPR,HIPAA,PCI-DSS,SOC2]
   Fix: Review and apply the recommended fix | https://owasp.org/Top10/A09_2021/

Message Components

Component	Purpose	Example
Risk Standards	Security benchmarks	CWE-532 OWASP:A09 CVSS:5.3
Issue Description	Specific vulnerability	`Log Information Exposure detected`
Severity & Compliance	Impact assessment	`MEDIUM [GDPR,HIPAA,PCI-DSS,SOC2]`
Fix Instruction	Actionable remediation	`Follow the remediation steps below`
Technical Truth	Official reference	OWASP Top 10

Rule Details

This rule prevent pii in console logs.

OWASP Mobile Top 10: M6
CWE: CWE-532
Severity: error

Examples

❌ Incorrect

console.log('User email:', user.email)

console.log({ email: user.email, name: user.name })

✅ Correct

console.log('User logged in')

console.log('Transaction count:', count)

When Not To Use It

This rule should be enabled for all mobile and web applications to ensure security best practices.

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Values from Variables

Why: Values stored in variables are not traced.

// ❌ NOT DETECTED - Value from variable
const value = userInput;
dangerousOperation(value);

Mitigation: Validate all user inputs.

Wrapper Functions

Why: Custom wrappers not recognized.

// ❌ NOT DETECTED - Wrapper
myWrapper(userInput); // Uses dangerous API internally

Mitigation: Apply rule to wrapper implementations.

Dynamic Invocation

Why: Dynamic calls not analyzed.

// ❌ NOT DETECTED - Dynamic
obj[method](userInput);

Mitigation: Avoid dynamic method invocation.

no-pii-in-logs