From 28abb6c5e34e70eeafff77fd20706fcd3b0df67b Mon Sep 17 00:00:00 2001 From: Romain Gaillard Date: Mon, 21 Oct 2024 18:18:21 +0200 Subject: [PATCH] Apply suggestions from code review Co-authored-by: Clayton Cornell <131809008+clayton-cornell@users.noreply.github.com> --- .../components/loki/loki.secretfilter.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/sources/reference/components/loki/loki.secretfilter.md b/docs/sources/reference/components/loki/loki.secretfilter.md index a8ccad1ccf..40cb1fced0 100644 --- a/docs/sources/reference/components/loki/loki.secretfilter.md +++ b/docs/sources/reference/components/loki/loki.secretfilter.md @@ -17,7 +17,9 @@ The detection is based on regular expression patterns, defined in the [Gitleaks `loki.secretfilter` can also use a custom configuration file based on the Gitleaks configuration file structure. {{< admonition type="caution" >}} -Personally Identifiable Information (PII) or undefined secret types could remain undetected. Additionally, the component may generate false positives. Don't rely solely on this component to redact sensitive information. +Personally Identifiable Information (PII) or undefined secret types could remain undetected. +This component may generate false positives. +Don't rely solely on this component to redact sensitive information. {{< /admonition >}} [gitleaks]: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml @@ -50,12 +52,17 @@ The Gitleaks configuration file embedded in the component is used if you don't p The `types` argument is a map of secret types to look for. The values are used as prefixes for the secret types in the Gitleaks configuration. If you don't provide this argument, all types are used. {{< admonition type="note" >}} -It is strongly recommended to configure this argument with the secret types you want to look for. If you don't, the component will look for all known types, which is resource-intensive. +Configuring this argument with the secret types you want to look for is strongly recommended. +If you don't, the component will look for all known types, which is resource-intensive. {{< /admonition >}} {{< admonition type="caution" >}} -Some secret types in the Gitleaks configuration file rely on regex patterns that don't detect the secret itself but rather the context around it. For example, the `aws-access-token` type detects AWS key IDs, not the keys themselves. The reason for this is that the keys don't have a unique pattern that can easily be detected with a regex. As a result, with this secret type enabled, the component will redact key IDs but not actual secret keys. This behavior is consistent with Gitleaks' redaction feature but may not be what you expect. -Currently, the secret types that are known to have this behavior are: `aws-access-token`. +Some secret types in the Gitleaks configuration file rely on regular expression patterns that don't detect the secret itself but rather the context around it. +For example, the `aws-access-token` type detects AWS key IDs, not the keys themselves. +This is because the keys don't have a unique pattern that can easily be detected with a regular expression. +As a result, with this secret type enabled, the component will redact key IDs but not actual secret keys. +This behavior is consistent with the Gitleaks redaction feature but may not be what you expect. +Currently, the secret types known to have this behavior are: `aws-access-token`. {{< /admonition >}} The `redact_with` argument is a string that can use variables such as `$SECRET_NAME` (replaced with the matching secret type) and `$SECRET_HASH`(replaced with the sha1 hash of the secret).