demo(05-pii-logging): 05 — PII logged in payment success path#154
demo(05-pii-logging): 05 — PII logged in payment success path#154
Conversation
See scenarios/05-pii-logging/README.md for the expected verdict.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| if (result.Success) | ||
| { | ||
| order.MarkPaid(_clock.UtcNow); | ||
| _logger.LogInformation("Charged customer email={Email} amount={Amount} currency={Currency} order={OrderId}", order.Customer.Email, priced.Total.Amount, priced.Total.Currency, order.Id); |
There was a problem hiding this comment.
GCI0029 — PII Entity Logging Leak
PII term 'email' found in log call — may expose sensitive data in src/OrderService/Processing/OrderProcessor.cs.
Evidence:
Line 50: _logger.LogInformation("Charged customer email={Email} amount={Amount} currency={Currency} order={OrderId}", order.Customer.Email, priced.Total.Amount, priced.Total.Currency, order.Id);
💡 Suggested action: Redact or omit PII from log calls. Log only anonymized identifiers (e.g. UserId, not Email or SSN).
Confidence: High | Severity: Warn
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8ca56fb543
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (result.Success) | ||
| { | ||
| order.MarkPaid(_clock.UtcNow); | ||
| _logger.LogInformation("Charged customer email={Email} amount={Amount} currency={Currency} order={OrderId}", order.Customer.Email, priced.Total.Amount, priced.Total.Currency, order.Id); |
There was a problem hiding this comment.
This new LogInformation call emits order.Customer.Email as a structured Email field, which stores personally identifiable information in centralized logs whenever a charge succeeds. That creates a concrete privacy/compliance risk (e.g., GDPR/CCPA exposure) and expands blast radius because log sinks are broadly accessible and retained longer than transactional data. Please avoid logging raw email here (use a non-PII identifier or a redacted/hashed value if correlation is required).
Useful? React with 👍 / 👎.
1 participant
05 — PII logged in payment success path
Expected verdict: ❌ Fails — GauntletCI should fire GCI0029 (PII in logs).
What changed
A new
LogInformationcall inOrderProcessor.ProcessAsyncwrites thecustomer's email address and the raw charge amount to logs after a
successful payment, ostensibly "for the analytics rollout":
Why this is risky
shipped to third-party aggregators (Datadog, Splunk, CloudWatch) that
may not be in your data-processor agreement.
six months of cold storage that nobody audits.
systems.
What GauntletCI catches
GCI0029 PII in logs— a structured log argument namedEmail(ormatching email-like patterns) is being emitted to a logger.