From eb34a61210737de10f5818cddf21fdf7ce65585a Mon Sep 17 00:00:00 2001
From: Evan Mattson <35585003+moonbox3@users.noreply.github.com>
Date: Tue, 3 Feb 2026 12:01:45 +0900
Subject: [PATCH] Potential fix for code scanning alert no. 48: Clear-text
 logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../declarative/agent_framework_declarative/_models.py      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/python/packages/declarative/agent_framework_declarative/_models.py b/python/packages/declarative/agent_framework_declarative/_models.py
index 0132590a1c..c5d0dce33b 100644
--- a/python/packages/declarative/agent_framework_declarative/_models.py
+++ b/python/packages/declarative/agent_framework_declarative/_models.py
@@ -59,9 +59,11 @@ def _try_powerfx_eval(value: str | None, log_value: bool = True) -> str | None:
         return engine.eval(value[1:], symbols={"Env": dict(os.environ)})
     except Exception as exc:
         if log_value:
-            logger.debug(f"PowerFx evaluation failed for value '{value}': {exc}")
+            value_repr = value
         else:
-            logger.debug(f"PowerFx evaluation failed for value (first five characters shown) '{value[:5]}': {exc}")
+            # Only log a small, non-sensitive snippet of the value when log_value is False
+            value_repr = value[:5]
+        logger.debug(f"PowerFx evaluation failed for value '{value_repr}': {exc}")
         return value