Plugin: lambda-securityRules
no-env-logging
ESLint rule documentation for no-env-logging
📡 Live from GitHub — This documentation is fetched directly from no-env-logging.md and cached for 6 hours.
Keywords: logging, process.env, secrets, CloudWatch, CWE-532, Lambda, serverless CWE: CWE-532
OWASP: A09:2021-Security Logging and Monitoring Failures
Detect logging of process.env which may expose secrets
Detects logging of process.env which may expose API keys, passwords, and tokens in CloudWatch logs. This rule is part of eslint-plugin-lambda-security and provides LLM-optimized error messages.
🚨 Security rule | 💡 Provides suggestions | ⚠️ Set to error in recommended
Quick Summary
| Aspect | Details |
|---|---|
| CWE Reference | CWE-532 (Info in Logs) |
| Severity | High (secret exposure) |
| Auto-Fix | 💡 Suggests specific variable logging |
| Category | Security |
| Best For | Lambda functions with any logging |
Vulnerability and Risk
Vulnerability: Logging process.env or JSON.stringify(process.env) exposes all environment variables, including secrets like API keys, database passwords, and authentication tokens.
Risk: CloudWatch logs may be:
- Accessed by developers with broad permissions
- Exported to third-party logging services
- Included in error reports and support tickets
- Retained long-term, increasing exposure window
Rule Details
This rule detects:
console.log(process.env)- logging entire env objectJSON.stringify(process.env)- serializing all env vars- Template literals containing
process.env
Why This Matters
| Risk | Impact | Solution |
|---|---|---|
| 🔑 Secret Exposure | API keys, passwords leaked | Log specific non-secret values |
| 📊 Log Aggregation | Secrets sent to external services | Filter sensitive data |
| 👥 Access Control | Developers see production secrets | Use secrets manager instead |
Configuration
| Option | Type | Default | Description |
|---|---|---|---|
allowInTests | boolean | true | Allow in test files |
{
rules: {
'lambda-security/no-env-logging': ['error', {
allowInTests: true
}]
}
}Examples
❌ Incorrect
export const handler = async (event) => {
// Logging entire env object
console.log('Environment:', process.env); // ❌ Exposes all secrets
console.log('Config:', JSON.stringify(process.env)); // ❌ Same issue
console.log(`Starting with env: ${process.env}`); // ❌ Template literal
// Debugging that exposes secrets
logger.debug({ env: process.env }); // ❌ Structured log with secrets
};✅ Correct
export const handler = async (event, context) => {
// Log only specific, non-sensitive values
console.log('Starting handler', {
region: process.env.AWS_REGION, // ✅ Non-sensitive
version: process.env.APP_VERSION, // ✅ Non-sensitive
requestId: context.awsRequestId, // ✅ Non-sensitive
});
// Never log these:
// process.env.DATABASE_PASSWORD
// process.env.API_KEY
// process.env.JWT_SECRET
// process.env.ENCRYPTION_KEY
};
// Better: Use AWS Secrets Manager
import {
SecretsManagerClient,
GetSecretValueCommand,
} from '@aws-sdk/client-secrets-manager';
const client = new SecretsManagerClient({});
async function getSecret(secretName: string) {
const response = await client.send(
new GetSecretValueCommand({ SecretId: secretName }),
);
return JSON.parse(response.SecretString!);
}
export const handler = async (event) => {
const secrets = await getSecret('my-app/prod');
// Secrets are never in env vars, can't be accidentally logged
};Common Sensitive Environment Variables
| Variable Pattern | Contains | Risk Level |
|---|---|---|
*_PASSWORD | Database passwords | Critical |
*_SECRET | Encryption/signing secrets | Critical |
*_KEY | API keys | Critical |
*_TOKEN | Auth tokens | Critical |
DATABASE_URL | Connection strings | Critical |
JWT_SECRET | JWT signing key | Critical |
AWS_ACCESS_KEY_ID | AWS credentials | Critical |
AWS_SECRET_ACCESS_KEY | AWS credentials | Critical |
Safe Logging Pattern
// Create a safe subset for logging
const safeEnvForLogging = {
NODE_ENV: process.env.NODE_ENV,
AWS_REGION: process.env.AWS_REGION,
LOG_LEVEL: process.env.LOG_LEVEL,
APP_VERSION: process.env.APP_VERSION,
};
console.log('Environment config:', safeEnvForLogging); // ✅ SafeSecurity Impact
| Vulnerability | CWE | OWASP | CVSS | Impact |
|---|---|---|---|---|
| Sensitive Data in Logs | 532 | A09:2021 | 7.5 High | Credential exposure |
| Info Disclosure | 200 | A01:2021 | 5.3 Medium | Configuration leak |
Related Rules
no-exposed-error-details- Don't expose error detailsno-hardcoded-credentials-sdk- No hardcoded secrets
Further Reading
- CWE-532: Sensitive Info in Logs - Official CWE entry
- AWS Secrets Manager - Secure secret storage
- Lambda Environment Variables - AWS documentation