Description of the false positive

We use a convenience function to create a logger that includes additional variables taken from a context.Context using the Value call to get the value.

The context itself contains secrets that may be needed. When the logger is created we specify the keys that should be taken from the context to add to the logger.

CodeQL is identifying a Clear-text logging of sensitive information which seems to think that taking any value out of the context, regardless of what is requested, is logging sensitive information.

Code samples or links to source code

This one is detected in the creation of the logger:

https://github.com/distribution/distribution/blob/56a020f7f1fbec903d785b552c97330c58fddae6/internal/dcontext/logger.go#L138
https://github.com/distribution/distribution/security/code-scanning/36

This one is detected when logging an error using context.Errors, which has been populated with a value from the context that is not secret:
https://github.com/distribution/distribution/blob/56a020f7f1fbec903d785b552c97330c58fddae6/registry/handlers/app.go#L831
https://github.com/distribution/distribution/security/code-scanning/23

There are more in the repo that match the same pattern.