Documentation
¶
Overview ¶
Package sanitize provides utilities for redacting sensitive information from logs.
This package offers two complementary approaches to secret sanitization:
Pattern-based detection: SanitizeString() and SanitizeJSON() use regex patterns to identify and redact secrets like API keys, tokens, and passwords.
Prefix truncation: TruncateSecret() and TruncateSecretMap() show only the first 4 characters of values, making them safe for logging without exposing full secrets.
Usage Guidelines:
Use TruncateSecret()/TruncateSecretMap() for auth headers and environment variables where you want to preserve a hint of the value for debugging.
Use SanitizeString()/SanitizeJSON() for full payload sanitization where secrets may appear in various formats throughout the data.
Example:
// For auth headers
log.Printf("Auth: %s", sanitize.TruncateSecret(authHeader)) // "ghp_..." instead of full token
// For environment variables
log.Printf("Env: %v", sanitize.TruncateSecretMap(envVars))
// For JSON payloads
sanitized := sanitize.SanitizeJSON(payload) // Replaces detected secrets with [REDACTED]
Index ¶
Constants ¶
This section is empty.
Variables ¶
var SecretPatterns = []*regexp.Regexp{ regexp.MustCompile(`(?i)(token|key|secret|password|auth)[=:]\s*[^\s]{8,}`), regexp.MustCompile(`ghp_[a-zA-Z0-9]{36,}`), regexp.MustCompile(`github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}`), regexp.MustCompile(`(?i)bearer\s+[a-zA-Z0-9\-._~+/]+=*`), regexp.MustCompile(`(?i)authorization:\s*[a-zA-Z0-9\-._~+/]+=*`), regexp.MustCompile(`[a-f0-9]{32,}`), regexp.MustCompile(`(?i)(apikey|api_key|access_key)[=:]\s*[^\s]{8,}`), regexp.MustCompile(`(?i)(client_secret|client_id)[=:]\s*[^\s]{8,}`), regexp.MustCompile(`[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+`), regexp.MustCompile(`(?i)"(token|password|passwd|pwd|apikey|api_key|api-key|secret|client_secret|api_secret|authorization|auth|key|private_key|public_key|credentials|credential|access_token|refresh_token|bearer_token)"\s*:\s*"[^"]{1,}"`), }
SecretPatterns contains regex patterns for detecting potential secrets
Functions ¶
func SanitizeArgs ¶
SanitizeArgs returns a sanitized version of command arguments for safe logging. It specifically handles Docker-style environment variable arguments (-e VAR=VALUE) by truncating the values to prevent exposing sensitive data like API tokens. Other arguments are passed through unchanged.
func SanitizeJSON ¶
func SanitizeJSON(payloadBytes []byte) json.RawMessage
SanitizeJSON sanitizes a JSON payload by applying regex patterns to the entire string It takes raw bytes, applies regex sanitization in one pass, and returns sanitized bytes
func SanitizeString ¶
SanitizeString replaces potential secrets in a string with [REDACTED]
func TruncateSecret ¶
TruncateSecret returns a sanitized version of the input string for safe logging. It shows only the first 4 characters followed by "..." to prevent exposing sensitive data. For strings with 4 or fewer characters, it returns only "...". For empty strings, it returns an empty string.
func TruncateSecretMap ¶
TruncateSecretMap returns a sanitized version of environment variables where each value is truncated to first 4 characters followed by "..." This prevents sensitive information like API keys from being logged in full.
Types ¶
This section is empty.
Source Files