Documentation
¶
Overview ¶
Package secrets provides redaction helpers and secret detection heuristics.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( // ErrInvalidRedactorConfig indicates an invalid redactor configuration. ErrInvalidRedactorConfig = ewrap.New("invalid redactor config") // ErrInvalidSecretConfig indicates an invalid secret detector configuration. ErrInvalidSecretConfig = ewrap.New("invalid secret detector config") // ErrSecretInputTooLong indicates the input exceeds the configured max length. ErrSecretInputTooLong = ewrap.New("secret input too long") // ErrSecretDetected indicates that a secret was detected in the input. ErrSecretDetected = ewrap.New("secret detected") )
Functions ¶
This section is empty.
Types ¶
type Redactor ¶
type Redactor struct {
// contains filtered or unexported fields
}
Redactor redacts secrets from structured fields.
func NewRedactor ¶
func NewRedactor(opts ...RedactorOption) (*Redactor, error)
NewRedactor constructs a redactor with safe defaults.
func (*Redactor) RedactFields ¶
RedactFields redacts sensitive keys from a map of fields.
func (*Redactor) RedactString ¶
RedactString returns the redaction mask for non-empty input.
type RedactorOption ¶
type RedactorOption func(*redactorOptions) error
RedactorOption configures redaction behavior.
func WithRedactionDetector ¶
func WithRedactionDetector(detector *SecretDetector) RedactorOption
WithRedactionDetector uses a detector to redact secrets inside string values.
func WithRedactionKeys ¶
func WithRedactionKeys(keys ...string) RedactorOption
WithRedactionKeys adds additional sensitive keys to redact.
The provided keys are merged into the existing set of redaction keys, which by default is initialized by NewRedactor with a set of common sensitive field names. Keys are normalized via normalizeRedactionKey (for example, lowercased and trimmed), so matching is case-insensitive and ignores surrounding whitespace. Keys that normalize to an empty string are ignored.
If all provided keys normalize to empty strings and there are no existing redaction keys configured, this option returns ErrInvalidRedactorConfig.
func WithRedactionMask ¶
func WithRedactionMask(mask string) RedactorOption
WithRedactionMask sets the redaction mask.
func WithRedactionMaxDepth ¶
func WithRedactionMaxDepth(depth int) RedactorOption
WithRedactionMaxDepth sets the maximum recursion depth for nested values.
type SecretDetectOption ¶
type SecretDetectOption func(*secretOptions) error
SecretDetectOption configures SecretDetector.
func WithSecretMask ¶
func WithSecretMask(mask string) SecretDetectOption
WithSecretMask sets the redaction mask.
func WithSecretMaxLength ¶
func WithSecretMaxLength(maxLength int) SecretDetectOption
WithSecretMaxLength sets the maximum input length for detection.
func WithSecretPattern ¶
func WithSecretPattern(name, pattern string) SecretDetectOption
WithSecretPattern adds a detection pattern.
func WithSecretPatterns ¶
func WithSecretPatterns(patterns ...SecretPattern) SecretDetectOption
WithSecretPatterns replaces the default detection patterns.
type SecretDetector ¶
type SecretDetector struct {
// contains filtered or unexported fields
}
SecretDetector detects secrets in text and can redact them.
func NewSecretDetector ¶
func NewSecretDetector(opts ...SecretDetectOption) (*SecretDetector, error)
NewSecretDetector constructs a detector with safe defaults.
func (*SecretDetector) Detect ¶
func (d *SecretDetector) Detect(input string) ([]SecretMatch, error)
Detect scans input and returns all matches.
func (*SecretDetector) DetectAny ¶
func (d *SecretDetector) DetectAny(input string) error
DetectAny returns ErrSecretDetected when a secret is found.
func (*SecretDetector) Redact ¶
func (d *SecretDetector) Redact(input string) (string, []SecretMatch, error)
Redact replaces detected secrets with the configured mask.
type SecretMatch ¶
SecretMatch describes a detected secret match.
type SecretPattern ¶
SecretPattern defines a named regex pattern for secret detection.
Source Files