PII leakage - Tero Documentation

PII leakage occurs when logs contain personal data, credentials, secrets, payment data, or other sensitive values that don’t belong in observability storage. Common sources include request-object logging, error messages that include user input, verbose third-party libraries, and instrumentation that records more fields than intended.

Signals

Signal	Description
Sensitive field name	Field names such as `card_number`, `email`, `ssn`, `api_key`, or `token`.
Sensitive value pattern	Values match known formats for payment cards, secrets, credentials, or identifiers.
Free-form message content	A text field contains sensitive substrings inside an otherwise routine message.
High-risk field type	Request bodies, error messages, user input, and metadata fields can contain sensitive data through developer error.

Example

Credit card numbers
Email addresses
API keys in messages

Before
After

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "payment-service",
  "event": "payment.processed",
  "card_number": "4111111111111111",
  "amount": 99.99
}

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "payment-service",
  "event": "payment.processed",
  "amount": 99.99
}

id: redact-credit-card-payment-service
name: Redact credit card numbers from payment-service
description: Remove card_number field containing credit card data.
log:
  match:
    - resource_attribute: service.name
      exact: payment-service
    - log_attribute: card_number
      regex: "^[0-9]{13,19}$"
  transform:
    remove:
      - log_attribute: card_number

Before
After

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "user-service",
  "event": "user.updated",
  "user_id": "usr_abc123",
  "email": "alice@example.com"
}

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "user-service",
  "event": "user.updated",
  "user_id": "usr_abc123"
}

id: redact-email-user-service
name: Redact email addresses from user-service
description: Remove email field containing user email addresses.
log:
  match:
    - resource_attribute: service.name
      exact: user-service
    - log_attribute: email
      exists: true
  transform:
    remove:
      - log_attribute: email

Before
After

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "integration-service",
  "body": "Request failed with key sk_live_abc123xyz789..."
}

{
  "@timestamp": "2024-01-15T10:30:00Z",
  "service.name": "integration-service",
  "body": "Request failed with key [REDACTED]"
}

id: redact-api-key-integration-service
name: Redact API keys from integration-service logs
description: Redact Stripe API keys found in log messages.
log:
  match:
    - resource_attribute: service.name
      exact: integration-service
    - log_field: body
      regex: "sk_live_[a-zA-Z0-9]+"
  transform:
    redact:
      - log_field: body
        pattern: "sk_live_[a-zA-Z0-9]+"
        replacement: "[REDACTED]"

Recommended enforcement

Enforce at edge

Redact or remove sensitive values before data leaves your network.

Open PRs

Change source instrumentation so sensitive values are not logged.

Use edge enforcement to stop matched values from reaching the provider. Open a PR when the source statement should stop emitting the field. Tero creates one policy per PII pattern, and you approve each on its own.

Detection notes

Tero uses the Master Catalog to understand fields, including what each field represents, what values it contains, and why it exists. Tero uses that context to determine which fields are scanned for PII. Tero scans fields that can carry PII through developer error, including error_message, request_body, user_input, and free-form text fields. It skips fields with fixed formats that are structurally incompatible with PII, such as timestamp, severity, status_code, and pid. Tero detects PII using patterns from gitleaks, an open source project for secret detection.

Personal information

Credit card numbers (Visa, Mastercard, Amex, Discover)
Social Security numbers (US)
National Insurance numbers (UK)
Email addresses
Phone numbers
IP addresses
IBANs

Cloud providers

AWS access keys and secret keys
GCP API keys
Azure AD client secrets
Alibaba access keys
DigitalOcean tokens
Heroku API keys
Cloudflare API keys
Databricks API tokens

Source control & CI/CD

GitHub tokens (PAT, OAuth, App, Fine-grained)
GitLab tokens (PAT, Deploy, Runner, CI/CD job)
Bitbucket client secrets
Travis CI tokens
CircleCI tokens
Drone CI tokens

Communication & collaboration

Slack tokens (bot, user, webhook)
Discord tokens
Telegram bot tokens
Microsoft Teams webhooks
Mattermost tokens
Twilio API keys

Databases & infrastructure

Database connection strings
Planetscale tokens
MongoDB connection strings
Redis connection strings
Elasticsearch credentials

Payment & financial

Stripe API keys
Square access tokens
Plaid API tokens
Coinbase access tokens
GoCardless tokens

AI & ML services

OpenAI API keys
Anthropic API keys
Hugging Face tokens
Cohere API tokens

Observability & monitoring

Datadog access tokens
New Relic API keys
Grafana API keys
Sentry tokens
Dynatrace API tokens

SaaS & productivity

Notion API tokens
Asana client secrets
Linear API keys
Jira API tokens
Shopify access tokens
SendGrid API tokens
Mailchimp API keys

Cryptographic material

Private keys (RSA, DSA, EC, PGP)
JWTs
PKCS12 files
Age secret keys

​Signals

​Example

​Recommended enforcement