Skip to content

Commit

Permalink
Update loki.secretfilter docs (#1925)
Browse files Browse the repository at this point in the history
Co-authored-by: Clayton Cornell <[email protected]>
  • Loading branch information
romain-gaillard and clayton-cornell authored Oct 21, 2024
1 parent 2b32ae3 commit cd2dce0
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions docs/sources/reference/components/loki/loki.secretfilter.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ The detection is based on regular expression patterns, defined in the [Gitleaks

{{< admonition type="caution" >}}
Personally Identifiable Information (PII) or undefined secret types could remain undetected.
This component may generate false positives.
Don't rely solely on this component to redact sensitive information.
{{< /admonition >}}

[gitleaks]: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
Expand Down Expand Up @@ -49,6 +51,20 @@ The Gitleaks configuration file embedded in the component is used if you don't p

The `types` argument is a map of secret types to look for. The values are used as prefixes for the secret types in the Gitleaks configuration. If you don't provide this argument, all types are used.

{{< admonition type="note" >}}
Configuring this argument with the secret types you want to look for is strongly recommended.
If you don't, the component will look for all known types, which is resource-intensive.
{{< /admonition >}}

{{< admonition type="caution" >}}
Some secret types in the Gitleaks configuration file rely on regular expression patterns that don't detect the secret itself but rather the context around it.
For example, the `aws-access-token` type detects AWS key IDs, not the keys themselves.
This is because the keys don't have a unique pattern that can easily be detected with a regular expression.
As a result, with this secret type enabled, the component will redact key IDs but not actual secret keys.
This behavior is consistent with the Gitleaks redaction feature but may not be what you expect.
Currently, the secret types known to have this behavior are: `aws-access-token`.
{{< /admonition >}}

The `redact_with` argument is a string that can use variables such as `$SECRET_NAME` (replaced with the matching secret type) and `$SECRET_HASH`(replaced with the sha1 hash of the secret).

The `include_generic` argument is a boolean that includes the generic API key rule in the Gitleaks configuration file if set to `true`. It's disabled by default because it can generate false positives.
Expand Down

0 comments on commit cd2dce0

Please sign in to comment.