Code Room
On-callMediumoc-g354
Subject Credential leakLevel Mid–Senior~30 minCommon in Security interviewsIndustries Software development, IT services, Technology

Question

A customer opens a support ticket with a screenshot showing your CI build logs are **public** for open-source PRs, and one log line prints `SNOWFLAKE_PASSWORD=...` in full — a `set -x` left on in a build script echoed the env. The exposed account is a read-only analytics warehouse user. Logs for ~600 PR builds over 5 weeks are public. Snowflake's login history shows logins only from your CI egress IPs and your office — nothing foreign. An engineer argues "it's read-only and no foreign logins, low severity, fix the script Monday." How do you triage and what's your call?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.