Documentation
¶
Overview ¶
Package sanitize provides utilities for redacting sensitive information from logs.
This package offers two complementary approaches to secret sanitization:
Pattern-based detection: SanitizeString() and SanitizeJSON() use regex patterns to identify and redact secrets like API keys, tokens, and passwords.
Prefix truncation: TruncateSecret() and TruncateSecretMap() show only the first 4 characters of values, making them safe for logging without exposing full secrets.
Usage Guidelines:
Use TruncateSecret()/TruncateSecretMap() for auth headers and environment variables where you want to preserve a hint of the value for debugging.
Use SanitizeString()/SanitizeJSON() for full payload sanitization where secrets may appear in various formats throughout the data.
Example:
// For auth headers
log.Printf("Auth: %s", sanitize.TruncateSecret(authHeader)) // "ghp_..." instead of full token
// For environment variables
log.Printf("Env: %v", sanitize.TruncateSecretMap(envVars))
// For JSON payloads
sanitized := sanitize.SanitizeJSON(payload) // Replaces detected secrets with [REDACTED]
Index ¶
- Variables
- func MarshalAndSanitize(value any) string
- func RedactURL(rawURL string) string
- func SanitizeArgs(args []string) []string
- func SanitizeJSON(payloadBytes []byte) json.RawMessage
- func SanitizeString(message string) string
- func TruncateSecret(input string) string
- func TruncateSecretMap(env map[string]string) map[string]string
Constants ¶
This section is empty.
Variables ¶
var SecretPatterns = []*regexp.Regexp{ regexp.MustCompile(`(?i)(token|key|secret|password|auth)[=:]\s*[^\s]{8,}`), regexp.MustCompile(`ghp_[a-zA-Z0-9]{36,}`), regexp.MustCompile(`github_pat_[a-zA-Z0-9]{22}_[a-zA-Z0-9]{59}`), regexp.MustCompile(`(?i)bearer\s+[a-zA-Z0-9\-._~+/]+=*`), regexp.MustCompile(`(?i)authorization:\s*[a-zA-Z0-9\-._~+/]+=*`), regexp.MustCompile(`[a-f0-9]{32,}`), regexp.MustCompile(`(?i)(apikey|api_key|access_key)[=:]\s*[^\s]{8,}`), regexp.MustCompile(`(?i)(client_secret|client_id)[=:]\s*[^\s]{8,}`), regexp.MustCompile(`[a-zA-Z0-9_-]{20,}\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+`), regexp.MustCompile(`(?i)"(token|password|passwd|pwd|apikey|api_key|api-key|secret|client_secret|api_secret|authorization|auth|key|private_key|public_key|credentials|credential|access_token|refresh_token|bearer_token)"\s*:\s*"[^"]{1,}"`), }
SecretPatterns contains regex patterns for detecting potential secrets
Functions ¶
func MarshalAndSanitize ¶ added in v0.3.2
MarshalAndSanitize marshals value to JSON and sanitizes the result to redact secrets. If marshaling fails, it returns a sanitized empty string rather than surfacing a logging-only error — callers should use this only in best-effort logging contexts.
func RedactURL ¶ added in v0.3.1
RedactURL returns a safe-to-log version of a URL by retaining only the scheme, host, and path. Userinfo (credentials), query parameters, and fragments are removed to prevent accidental leakage of secrets (e.g. api_key=..., token=...). If the input cannot be parsed as a URL, the literal string "<unparseable-url>" is returned instead so callers never log raw unverified input.
func SanitizeArgs ¶
SanitizeArgs returns a sanitized version of command arguments for safe logging. It specifically handles Docker-style environment variable arguments (-e VAR=VALUE) by truncating ALL values to prevent exposing sensitive data like API tokens. This approach prioritizes security over debugging convenience - we truncate all environment variable values rather than trying to selectively identify secrets. Other arguments are passed through unchanged.
func SanitizeJSON ¶
func SanitizeJSON(payloadBytes []byte) json.RawMessage
SanitizeJSON sanitizes a JSON payload by applying regex patterns to the entire string It takes raw bytes, applies regex sanitization in one pass, and returns sanitized bytes
func SanitizeString ¶
SanitizeString replaces potential secrets in a string with [REDACTED]
func TruncateSecret ¶
TruncateSecret returns a sanitized version of the input string for safe logging. It shows only the first 4 characters followed by "..." to prevent exposing sensitive data. For strings with 4 or fewer characters, it returns only "...". For empty strings, it returns an empty string.
func TruncateSecretMap ¶
TruncateSecretMap returns a sanitized version of environment variables where each value is truncated to first 4 characters followed by "..." This prevents sensitive information like API keys from being logged in full.
Types ¶
This section is empty.
Source Files