stacklok · aponcedeleonch · Jan 13, 2025 · Jan 13, 2025
diff --git a/src/codegate/pipeline/secrets/secrets.py b/src/codegate/pipeline/secrets/secrets.py
@@ -135,15 +135,13 @@ def obfuscate(self, text: str) -> tuple[str, int]:
         # Store matches for logging
         found_secrets = 0
 
-        # Replace each match with its encrypted value
+        # First pass. Replace each match with its encrypted value
         logger.info("\nFound secrets:")
         for start, end, match in absolute_matches:
             hidden_secret = self._hide_secret(match)
 
             # Replace the secret in the text
             protected_text[start:end] = hidden_secret
-
-            self._notify_secret(match, protected_text)
             found_secrets += 1
             # Log the findings
             logger.info(
@@ -153,6 +151,10 @@ def obfuscate(self, text: str) -> tuple[str, int]:
                 f"\nEncrypted: {hidden_secret}"
             )
 
+        # Second pass. Notify the secrets in DB over the complete protected text.
+        for _, _, match in absolute_matches:
+            self._notify_secret(match, protected_text)
+
         # Convert back to string
         protected_string = "".join(protected_text)
         print(f"\nProtected text:\n{protected_string}")