fix(sdk): mute HPACK library logs to prevent token leakage (#10014)

Co-authored-by: Hugo Pereira Brito <101209179+HugoPBrito@users.noreply.github.com>
2026-03-22 03:08:23 +00:00 · 2026-02-11 11:15:08 +01:00
parent 6bba654059
commit 366f10cf0c
5 changed files with 14 additions and 2 deletions
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🐞 Fixed

 - `--repository` and `--organization` flags combined interaction in GitHub provider, qualifying unqualified repository names with organization [(#10001)](https://github.com/prowler-cloud/prowler/pull/10001)
+- HPACK library logging tokens in debug mode for Azure, M365, and Cloudflare providers [(#10010)](https://github.com/prowler-cloud/prowler/pull/10010)

 ---

--- a/prowler/providers/azure/azure_provider.py
+++ b/prowler/providers/azure/azure_provider.py
@@ -1,4 +1,5 @@
 import asyncio
+import logging
 import os
 import re
 from argparse import ArgumentTypeError
@@ -217,6 +218,9 @@ class AzureProvider(Provider):
        """
        logger.info("Setting Azure provider ...")

+        # Mute HPACK library logs to prevent token leakage in debug mode
+        logging.getLogger("hpack").setLevel(logging.CRITICAL)
+
        logger.info("Checking if any credentials mode is set ...")

        # Validate the authentication arguments
--- a/prowler/providers/cloudflare/cloudflare_provider.py
+++ b/prowler/providers/cloudflare/cloudflare_provider.py
@@ -1,3 +1,4 @@
+import logging
 import os
 from typing import Iterable

@@ -55,6 +56,9 @@ class CloudflareProvider(Provider):
    ):
        logger.info("Instantiating Cloudflare provider...")

+        # Mute HPACK library logs to prevent token leakage in debug mode
+        logging.getLogger("hpack").setLevel(logging.CRITICAL)
+
        if config_content:
            self._audit_config = config_content
        else:
--- a/prowler/providers/github/github_provider.py
+++ b/prowler/providers/github/github_provider.py
@@ -1,3 +1,4 @@
+import logging
 import os
 from os import environ
 from typing import Union
@@ -134,8 +135,6 @@ class GithubProvider(Provider):
        logger.info("Instantiating GitHub Provider...")

        # Mute GitHub library logs to reduce noise since it is already handled by the Prowler logger
-        import logging
-
        logging.getLogger("github").setLevel(logging.CRITICAL)
        logging.getLogger("github.GithubRetry").setLevel(logging.CRITICAL)

--- a/prowler/providers/m365/m365_provider.py
+++ b/prowler/providers/m365/m365_provider.py
@@ -1,5 +1,6 @@
 import asyncio
 import base64
+import logging
 import os
 from argparse import ArgumentTypeError
 from os import getenv
@@ -157,6 +158,9 @@ class M365Provider(Provider):
        """
        logger.info("Setting M365 provider ...")

+        # Mute HPACK library logs to prevent token leakage in debug mode
+        logging.getLogger("hpack").setLevel(logging.CRITICAL)
+
        logger.info("Checking if any credentials mode is set ...")

        # Validate the authentication arguments