grafana · kleimkuhler · Apr 7, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 7, 2026
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/sha1"
+	"encoding/hex"
 	"fmt"
 	"maps"
 	"os"
@@ -366,6 +367,14 @@ func (c *Component) processEntry(ctx context.Context, entry loki.Entry) (loki.En
 // redactLine redacts each finding in the log line and records metrics.
 func (c *Component) redactLine(entry loki.Entry, findings []report.Finding) loki.Entry {
 	line := entry.Line
+
+	originValue := ""
+	if c.args.OriginLabel != "" && len(entry.Labels) > 0 {
+		if value, ok := entry.Labels[model.LabelName(c.args.OriginLabel)]; ok {
+			originValue = string(value)
+		}
+	}
+
 	for i := range findings {
 		finding := &findings[i]
 		ruleName := finding.RuleID
@@ -386,23 +395,16 @@ func (c *Component) redactLine(entry loki.Entry, findings []report.Finding) loki
 		line = strings.ReplaceAll(line, originalSecret, replacement)
 
 		c.metrics.secretsRedactedTotal.Inc()
-		originValue := ""
-		if c.args.OriginLabel != "" && len(entry.Labels) > 0 {
-			if value, ok := entry.Labels[model.LabelName(c.args.OriginLabel)]; ok {
-				originValue = string(value)
-			}
-		}
 		c.metrics.secretsRedactedByCategory.WithLabelValues(ruleName, originValue).Inc()
 	}
 	entry.Line = line
 	return entry
 }
 
-// hashSecret returns a short hex-encoded SHA1 hash of the secret for use in redaction placeholders.
+// hashSecret returns a short hex-encoded SHA-1 hash of the secret for use in redaction placeholders.
 func hashSecret(secret string) string {
-	hasher := sha1.New()
-	hasher.Write([]byte(secret))
-	return fmt.Sprintf("%x", hasher.Sum(nil))
+	sum := sha1.Sum([]byte(secret))
+	return hex.EncodeToString(sum[:])
 }
 
 // withLabel returns a copy of the entry with the given label set to value.