python – Checkmarx Filtering Sensitive Logs issue

i got some suggestions from checkmarx regarding
Filtering Sensitive Logs


Source Destination
Line 54 66
Object encrypted_password info
54. encrypted_password = encryption.encrypt(pub_key, password)
66."Username: %s, Password: %s", user,

I got other similar issues too

210. _, token = get_secret(ROOT_TOKEN)
133. LOGGER.debug("GET request status code: %s",

Here, checkmarx is complaining about get_secret
and the fact that I am logging this. Also, i am not directly logging the token. token is a part of resp object which is then logged(that too not the whole object)

so, I wanted to understand the cause and the best way to fix this.

what I think is that checkmarx looks for words like secret/ passwords/password etc and then figures out if these are being logged somewhere.
in the second example too, I think it sees that these is a function with secret in its name so that function must return some sensitive info (which is then stored to a variable and logged) so that is why it is again complaining.

Is that correct?
i tried to look online but didn’t find much about this here