Use assert to fail a workflow when generated logs contain supported sensitive values:
jobs:
privacy-logs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: your-org/privacy-proxy@v0
with:
config: privacy-proxy.toml
input: test-logs.jsonlThe action prints aggregate counts only. It does not print matched values.
The examples/observability/ directory contains small before/after fixtures for
common observability shapes. All values are synthetic and safe for
documentation.
Run the Sentry-shaped example:
privacy-proxy --config examples/privacy-proxy.toml redact \
--input examples/observability/sentry.input.jsonl \
--output /tmp/sentry.masked.jsonl
diff -u examples/observability/sentry.masked.jsonl /tmp/sentry.masked.jsonlRun the Loki-shaped example:
privacy-proxy --config examples/privacy-proxy.toml redact \
--input examples/observability/loki.input.jsonl \
--output /tmp/loki.masked.jsonl
diff -u examples/observability/loki.masked.jsonl /tmp/loki.masked.jsonlUse assert to demonstrate the CI failure mode against the intentionally leaky
inputs:
privacy-proxy --config examples/privacy-proxy.toml assert \
--input examples/observability/sentry.input.jsonl
privacy-proxy --config examples/privacy-proxy.toml assert \
--input examples/observability/loki.input.jsonlThose commands should exit non-zero and print aggregate counts only. They should not print matched values.
privacy-proxy redact --input sentry-events.jsonl --output sentry-events.clean.jsonl
privacy-proxy assert --input sentry-events.clean.jsonlCommon sensitive locations:
request.headers.authorizationrequest.headers.cookierequest.urlquery parametersuser.email
privacy-proxy redact --input loki-lines.jsonl --output loki-lines.clean.jsonlLoki often carries sensitive data inside the line string. Keep string detectors enabled.
privacy-proxy redact --input datadog-logs.jsonl --output datadog-logs.clean.jsonlKeep trace_id, span_id, and request identifiers in fields_allow so correlation survives redaction.
privacy-proxy scan --input elastic-export.jsonl
privacy-proxy redact --input elastic-export.jsonl --output elastic-export.clean.jsonlField-name redaction is useful for _source.apiKey, _source.password, and similar application fields.
For JSON or JSONL log export paths, run the HTTP proxy between the producer and collector/exporter:
privacy-proxy --config examples/privacy-proxy.toml serve \
--target http://127.0.0.1:4318 \
--listen 127.0.0.1:8080Then configure the sender to use http://127.0.0.1:8080. The proxy redacts UTF-8 JSON, JSONL/NDJSON and text bodies, decodes gzip request bodies before redaction, replaces sensitive headers before forwarding, enforces max_body_bytes, and exposes aggregate JSON metrics at /metrics plus Prometheus metrics at /metrics/prometheus.
Gzip support is intended for UTF-8 JSON, JSONL/NDJSON and text request bodies. The proxy forwards the redacted body uncompressed and strips Content-Encoding/Content-Length before forwarding. Unsupported content encodings are rejected with 415, and oversized decompressed bodies are rejected with 413.
Deep protocol-aware OTLP protobuf support is still future work. Route JSON/HTTP logs through the proxy first.
curl http://127.0.0.1:8080/metrics
curl http://127.0.0.1:8080/metrics/prometheusMetrics include request counts, rejected payload counts, byte counts and redaction counts by detector type. They never include matched values, header values, request bodies or samples.
Minimal local Prometheus scrape config:
scrape_configs:
- job_name: privacy-proxy
metrics_path: /metrics/prometheus
static_configs:
- targets:
- 127.0.0.1:8080With the proxy listening on 127.0.0.1:8080, Prometheus scrapes:
http://127.0.0.1:8080/metrics/prometheus
Keep the target local unless the proxy metrics endpoint is intentionally exposed through your monitoring network.