Automatic redaction utilities for logging to prevent sensitive data leaks
Project description
🧩 logguard
logguard is a lightweight Python utility that automatically redacts sensitive data from logs protecting tokens, passwords, emails, and other secrets from accidental exposure.
It combines keyword-based filtering and smart heuristic detection for robust, production-grade log sanitization.
🚀 Features
- 🔐 Keyword-based redaction using an extensive list (
sensitive_keys.txt) - 🧠 Heuristic detection for:
- Emails
- Tokens & secrets
- UUIDs
- JWTs
- Credit card numbers
- AWS keys and access tokens
- 🪄
RedactingFormatterfor automatic log sanitization - 🧩
@filterdecorator to patchloggingdynamically - ⚡ Lightweight and dependency-free
⚙️ Installation
pip install logguard
or use directly from your local source:
pip install .
💡 Quick Start
import logging
from logguard import RedactingFormatter, filter
handler = logging.StreamHandler()
handler.setFormatter(RedactingFormatter("%(levelname)s: %(message)s"))
logger = logging.getLogger("demo")
logger.addHandler(handler)
logger.setLevel(logging.INFO)
logger.info("email=user@example.com")
logger.info("User signed in: email=user@example.com, password=secret123, api_key=abcd-1234-efgh, token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9")
logger.info("Payment info: card=4111-1111-1111-1111, uuid=550e8400-e29b-41d4-a716-446655440000, aws=AKIA1234567890ABCDEF")
@filter
def do_work():
logging.info("This contains a secret: client_secret=verysecret")
do_work()
✅ Output:
INFO: email=[REDACTED]
INFO: User signed in: email=[REDACTED], password=[REDACTED], api_key=[REDACTED], token=[REDACTED]
INFO: Payment info: card=[REDACTED], uuid=[REDACTED], aws=[REDACTED]
🧠 How It Works
logguard uses a hybrid redaction model:
-
Keyword matching
Searches for field names likepassword,token,api_key,client_secretfromsensitive_keys.txt.password=12345 → password=[REDACTED] -
Heuristic detection
Even if a field name isn’t known, patterns like long random strings, emails, or UUIDs are automatically redacted.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 → token=[REDACTED]
This ensures no sensitive value leaks into log files — even when variable names differ.
🧰 Advanced Usage
Custom Sensitive Keys
You can extend the default sensitive_keys.txt file with your own entries:
custom_secret
internal_token
Reload your package or re-import logguard to apply them.
Direct Redaction Function
You can also manually call the sanitizer:
from logguard import redact
text = "email=user@example.com, password=secret123"
print(redact(text))
# → email=[REDACTED], password=[REDACTED]
🧩 Example Patterns (v2)
| Type | Example | Redacted |
|---|---|---|
user@example.com |
[REDACTED] |
|
| Token | abcd1234efgh5678ijkl9012 |
[REDACTED] |
| UUID | 550e8400-e29b-41d4-a716-446655440000 |
[REDACTED] |
| Credit Card | 4111-1111-1111-1111 |
[REDACTED] |
| JWT | eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 |
[REDACTED] |
| AWS Key | AKIA1234567890ABCDEF |
[REDACTED] |
⚠️ Notes
- Avoid excessive redaction in structured logs
- Regex-based redaction may slightly impact performance on large-scale systems
- Future versions will add:
- JSON-aware redaction
- Async logging support
- Developer tagging (
@sensitivedecorator)
🧡 License
MIT License © 2025 — Developed for safe and responsible logging.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file logguard-2.0.0.tar.gz.
File metadata
- Download URL: logguard-2.0.0.tar.gz
- Upload date:
- Size: 5.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9dc46b27db0df63af16e98c6017b353e57b0775d982c265c9522c23ce8ef6ea1
|
|
| MD5 |
392a7aa25d3677dc50a1191534a70ee6
|
|
| BLAKE2b-256 |
2442a2deb7f2984d1dd9dbc947b4193c0172adf99f4c728e5cb26dd020dff147
|
File details
Details for the file logguard-2.0.0-py3-none-any.whl.
File metadata
- Download URL: logguard-2.0.0-py3-none-any.whl
- Upload date:
- Size: 6.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4bc04c9936fdc8b05d02a733ff85e667ca432a93874f9ae4b6f1be67d4fc83ab
|
|
| MD5 |
1319f3bbfd2a30bc0a09becd41256c26
|
|
| BLAKE2b-256 |
8d9b90b0ef739c57f857237d62804027dfbfbe400354bf83aa3d55394b55d6db
|