2.0 KiB
2.0 KiB
name, description
| name | description |
|---|---|
| document-redaction | Workflows for safely redacting sensitive data (IPs, credentials, domains) from IT documents, logs, and plans. |
Document Redaction & Data Sanitization
Trigger
When asked to make a document "public-safe", "redact", or "sanitize" logs, configs, or architectural plans.
Workflow
- Analyze the Source: Read the document to identify classes of sensitive information (Vendor names, server names, internal IPs, domains, names/emails, passwords/keys).
- Scripted Redaction (Python): Write a Python script using the
remodule for robust multi-pass regex replacements. This is far less error-prone than chainedsedcommands for complex files. - Target Categories:
- Entities/People: Map explicit names (e.g.,
John Doe->[Lead Developer]). - Vendors: Map third parties (e.g.,
AWS,Hetzner->[CLOUD-PROVIDER]). - Servers: Map hostnames (e.g.,
app1-bu->[STANDBY-HOST]). - Emails:
re.sub(r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,7}\b', '[EMAIL-REDACTED]', text) - IPs:
re.sub(r'\b(?:\d{1,3}\.){3}\d{1,3}\b', '[IP-REDACTED]', text)
- Entities/People: Map explicit names (e.g.,
- Mandatory Verification: You MUST run
grep -iE "original_term1|original_term2|ip_regex"on the generated output file to guarantee zero leakage before delivering the final artifact. Repeat the script generation/running until thegrepcommands return zero hits.
Pitfalls
- Domain/Subdomain overlap: Redacting
example.commight miss or corruptsub.example.com. Map full known URLs to generic placeholders (e.g.,[OPS-PORTAL-DOMAIN]). - Blind spots: Regex won't catch specific executive names or custom server hostnames. Explicitly map known internal names first.
- Over-redaction: Don't redact standard public URLs (like
get.docker.comorgithub.com) that provide technical value and pose no security risk.
Support Files
scripts/redact_template.py- Starter script for Python-based document redaction.