diff --git a/docs/sources/reference/components/loki/loki.secretfilter.md b/docs/sources/reference/components/loki/loki.secretfilter.md index a4767a1e71..40cb1fced0 100644 --- a/docs/sources/reference/components/loki/loki.secretfilter.md +++ b/docs/sources/reference/components/loki/loki.secretfilter.md @@ -18,6 +18,8 @@ The detection is based on regular expression patterns, defined in the [Gitleaks {{< admonition type="caution" >}} Personally Identifiable Information (PII) or undefined secret types could remain undetected. +This component may generate false positives. +Don't rely solely on this component to redact sensitive information. {{< /admonition >}} [gitleaks]: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml @@ -49,6 +51,20 @@ The Gitleaks configuration file embedded in the component is used if you don't p The `types` argument is a map of secret types to look for. The values are used as prefixes for the secret types in the Gitleaks configuration. If you don't provide this argument, all types are used. +{{< admonition type="note" >}} +Configuring this argument with the secret types you want to look for is strongly recommended. +If you don't, the component will look for all known types, which is resource-intensive. +{{< /admonition >}} + +{{< admonition type="caution" >}} +Some secret types in the Gitleaks configuration file rely on regular expression patterns that don't detect the secret itself but rather the context around it. +For example, the `aws-access-token` type detects AWS key IDs, not the keys themselves. +This is because the keys don't have a unique pattern that can easily be detected with a regular expression. +As a result, with this secret type enabled, the component will redact key IDs but not actual secret keys. +This behavior is consistent with the Gitleaks redaction feature but may not be what you expect. +Currently, the secret types known to have this behavior are: `aws-access-token`. +{{< /admonition >}} + The `redact_with` argument is a string that can use variables such as `$SECRET_NAME` (replaced with the matching secret type) and `$SECRET_HASH`(replaced with the sha1 hash of the secret). The `include_generic` argument is a boolean that includes the generic API key rule in the Gitleaks configuration file if set to `true`. It's disabled by default because it can generate false positives.