Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update loki.secretfilter docs #1925

Merged
merged 3 commits into from
Oct 21, 2024
Merged

Update loki.secretfilter docs #1925

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
15f9941
Update loki.secretfilter docs
romain-gaillard Oct 18, 2024
9c2f12a
Extra warning
romain-gaillard Oct 18, 2024
28abb6c
Apply suggestions from code review
romain-gaillard Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/sources/reference/components/loki/loki.secretfilter.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ The detection is based on regular expression patterns, defined in the [Gitleaks

{{< admonition type="caution" >}}
Personally Identifiable Information (PII) or undefined secret types could remain undetected.
This component may generate false positives.
Don't rely solely on this component to redact sensitive information.
{{< /admonition >}}

[gitleaks]: https://github.com/gitleaks/gitleaks/blob/master/config/gitleaks.toml
Expand Down Expand Up @@ -49,6 +51,20 @@ The Gitleaks configuration file embedded in the component is used if you don't p

The `types` argument is a map of secret types to look for. The values are used as prefixes for the secret types in the Gitleaks configuration. If you don't provide this argument, all types are used.

{{< admonition type="note" >}}
Configuring this argument with the secret types you want to look for is strongly recommended.
If you don't, the component will look for all known types, which is resource-intensive.
{{< /admonition >}}

{{< admonition type="caution" >}}
Some secret types in the Gitleaks configuration file rely on regular expression patterns that don't detect the secret itself but rather the context around it.
For example, the `aws-access-token` type detects AWS key IDs, not the keys themselves.
This is because the keys don't have a unique pattern that can easily be detected with a regular expression.
As a result, with this secret type enabled, the component will redact key IDs but not actual secret keys.
This behavior is consistent with the Gitleaks redaction feature but may not be what you expect.
Currently, the secret types known to have this behavior are: `aws-access-token`.
{{< /admonition >}}

The `redact_with` argument is a string that can use variables such as `$SECRET_NAME` (replaced with the matching secret type) and `$SECRET_HASH`(replaced with the sha1 hash of the secret).

The `include_generic` argument is a boolean that includes the generic API key rule in the Gitleaks configuration file if set to `true`. It's disabled by default because it can generate false positives.
Expand Down
Loading