python – Checkmarx Filtering Sensitive Logs issue

i got some suggestions from checkmarx regarding
Filtering Sensitive Logs

Example

Source Destination
Line 54 66
Object encrypted_password info
....
54. encrypted_password = encryption.encrypt(pub_key, password)
....
66. LOGGER.info("Username: %s, Password: %s", user,
encrypted_password)

I got other similar issues too

....
210. _, token = get_secret(ROOT_TOKEN)
....
133. LOGGER.debug("GET request status code: %s",
resp.getcode())

Here, checkmarx is complaining about get_secret
and the fact that I am logging this. Also, i am not directly logging the token. token is a part of resp object which is then logged(that too not the whole object)

so, I wanted to understand the cause and the best way to fix this.

what I think is that checkmarx looks for words like secret/ passwords/password etc and then figures out if these are being logged somewhere.
in the second example too, I think it sees that these is a function with secret in its name so that function must return some sensitive info (which is then stored to a variable and logged) so that is why it is again complaining.

Is that correct?
i tried to look online but didn’t find much about this here