Skip to main content
Credit card numbers, emails, SSNs, API keys. Sensitive data that ended up in logs. A developer logs a request object. An error message includes user data. A third-party library dumps more than expected.

Example

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "payment-service",
  "event": "payment.processed",
  "card_number": "4111111111111111",
  "amount": 99.99
}

id: redact-credit-card-payment-service
name: Redact credit card numbers from payment-service
description: Remove card_number field containing credit card data.
log:
  match:
    - resource_attribute: service.name
      exact: payment-service
    - log_attribute: card_number
      regex: "^[0-9]{13,19}$"
  transform:
    remove:
      - log_attribute: card_number
Each PII pattern gets its own policy. You approve them individually based on your compliance requirements.

Enforce at edge

Redact PII before data leaves your network. It never reaches your provider.

Open PRs

Fix the instrumentation so PII is never logged in the first place.
Edge enforcement is critical. Redacting at the edge means sensitive data never leaves your infrastructure. No cleanup required. No breach notifications. The blast radius is zero. But also fix the source. Open a PR to remove sensitive fields from the log statement entirely.

How it works

Tero uses the Master Catalog to understand each field: what it represents, what values it contains, why it exists. This determines which fields get scanned for PII. Any field that could contain PII through normal developer error gets scanned: error_message, request_body, user_input, free-form text fields. Fields that are structurally incompatible with PII are skipped: timestamp, severity, status_code, pid. These have fixed formats. PII can’t end up there through a logging mistake. Tero detects PII using patterns from gitleaks, a widely-used open source project for secret detection.
  • Credit card numbers (Visa, Mastercard, Amex, Discover)
  • Social Security numbers (US)
  • National Insurance numbers (UK)
  • Email addresses
  • Phone numbers
  • IP addresses
  • IBANs
  • AWS access keys and secret keys
  • GCP API keys
  • Azure AD client secrets
  • Alibaba access keys
  • DigitalOcean tokens
  • Heroku API keys
  • Cloudflare API keys
  • Databricks API tokens
  • GitHub tokens (PAT, OAuth, App, Fine-grained)
  • GitLab tokens (PAT, Deploy, Runner, CI/CD job)
  • Bitbucket client secrets
  • Travis CI tokens
  • CircleCI tokens
  • Drone CI tokens
  • Slack tokens (bot, user, webhook)
  • Discord tokens
  • Telegram bot tokens
  • Microsoft Teams webhooks
  • Mattermost tokens
  • Twilio API keys
  • Database connection strings
  • Planetscale tokens
  • MongoDB connection strings
  • Redis connection strings
  • Elasticsearch credentials
  • Stripe API keys
  • Square access tokens
  • Plaid API tokens
  • Coinbase access tokens
  • GoCardless tokens
  • OpenAI API keys
  • Anthropic API keys
  • Hugging Face tokens
  • Cohere API tokens
  • Datadog access tokens
  • New Relic API keys
  • Grafana API keys
  • Sentry tokens
  • Dynatrace API tokens
  • Notion API tokens
  • Asana client secrets
  • Linear API keys
  • Jira API tokens
  • Shopify access tokens
  • SendGrid API tokens
  • Mailchimp API keys
  • Private keys (RSA, DSA, EC, PGP)
  • JWTs
  • PKCS12 files
  • Age secret keys