Skip to main content

HIPAA PHI scanner for CI/CD pipelines

Project description

๐Ÿ‡บ๐Ÿ‡ธ English | ๐Ÿ‡ฐ๐Ÿ‡ท ํ•œ๊ตญ์–ด

PHI Guard

HIPAA PHI scanner for CI/CD pipelines โ€” like gitleaks, but for healthcare data.

PyPI Python License

The Problem

Developers working on healthcare applications accidentally commit Protected Health Information (PHI) into code repositories:

# test_patient.py
def test_create_patient():
    patient = Patient(
        name="John Doe",
        ssn="123-45-6789",           # Real SSN in test fixture
        mrn="MRN-00012345",          # Real Medical Record Number
        email="patient@email.com"
    )

This is a HIPAA violation. Fines range from $50,000 to $1,500,000 per incident.

GitHub's Secret Scanning catches API keys and passwords โ€” but it has zero support for HIPAA's 18 PHI identifiers. PHI Guard fills that gap.

What PHI Guard Does

PHI Guard scans your codebase for 17 of 18 types of Protected Health Information defined by HIPAA:

# PHI Type Status
1 Names Excluded*
2 Geographic data (ZIP codes) Supported
3 Dates (birth, admission, etc.) Supported
4 Phone numbers Supported
5 Fax numbers Supported
6 Email addresses Supported
7 Social Security Numbers Supported
8 Medical Record Numbers Supported
9 Health plan beneficiary numbers Supported
10 Account numbers Supported
11 Certificate/license numbers Supported
12 Vehicle identifiers (VIN) Supported
13 Device identifiers Supported
14 URLs Supported
15 IP addresses Supported
16 Biometric identifiers N/A
17 Full-face photographs N/A
18 Ages over 89 Supported

*Names excluded to avoid false positives. See PROJECT_GUIDE.md for details.

Use Cases

Pre-commit Hook (Fast Mode)

Block PHI before it reaches the repository. Regex-only scanning completes in under 3 seconds.

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/eddykim/phi-guard
    rev: v0.1.0
    hooks:
      - id: phi-guard

CI/CD Pipeline (Full Mode)

Scan every pull request with NLP-powered detection. Catches names, locations, and other unstructured PHI that regex can't detect.

# .github/workflows/phi-guard.yml
- uses: eddykim/phi-guard-action@v1
  with:
    mode: full

Installation

pip install phi-guard

# Download the spaCy language model (required)
python -m spacy download en_core_web_sm

Usage

# Scan current directory
phi-guard scan ./

# Scan specific file
phi-guard scan ./tests/fixtures/sample.py

# Custom confidence threshold (0.0-1.0)
phi-guard scan ./ --threshold 0.7

# Exclude patterns (gitignore style)
phi-guard scan ./ --exclude "tests/*" --exclude "*.md"

# Output as JSON (for CI/CD parsing)
phi-guard scan ./ --format json

# Output as SARIF (for GitHub Security tab)
phi-guard scan ./ --format sarif

How It Works

PHI Guard uses Microsoft Presidio for PII detection, enhanced with:

  • Custom recognizers for healthcare-specific patterns (MRN, insurance IDs)
  • Stricter SSN detection โ€” Presidio's default has a bug that filters out valid SSNs
  • Dual-mode architecture โ€” fast regex for pre-commit, full NLP for CI/CD
  • SARIF output โ€” integrates with GitHub Security tab

Architecture

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                   PHI Guard                      โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  CLI (Typer + Rich)                             โ”‚
โ”‚    โ””โ”€โ”€ phi-guard scan <path>                    โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Engine                                          โ”‚
โ”‚    โ””โ”€โ”€ scan_text() / scan_file() / scan_dir()   โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Recognizers (17 PHI types)                      โ”‚
โ”‚    โ”œโ”€โ”€ SSN, MRN, Phone, Email, Fax              โ”‚
โ”‚    โ”œโ”€โ”€ VIN, Driver's License, DEA, NPI          โ”‚
โ”‚    โ”œโ”€โ”€ Medicare/Medicaid, Account, Device       โ”‚
โ”‚    โ””โ”€โ”€ ZIP Code, URL, IP, Age over 89, Dates    โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  Presidio AnalyzerEngine                         โ”‚
โ”‚    โ”œโ”€โ”€ RecognizerRegistry                       โ”‚
โ”‚    โ””โ”€โ”€ SpacyNlpEngine (en_core_web_sm)          โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Why Not Just Use Presidio Directly?

You could! But PHI Guard provides:

  1. Healthcare focus โ€” Only HIPAA PHI, not generic PII
  2. CI/CD integration โ€” Pre-commit hooks, GitHub Actions, SARIF output
  3. Fixes Presidio bugs โ€” Default SSN recognizer has score 0.05 (too low to detect)
  4. Incremental scanning โ€” Only scan changed files in PRs

Development

# Clone and setup
git clone https://github.com/eddykim/phi-guard.git
cd phi-guard
poetry install

# Download spaCy model
poetry run python -m spacy download en_core_web_sm

# Run tests
poetry run pytest

# Run the CLI
poetry run phi-guard scan ./

License

Apache 2.0

Contributing

Contributions welcome! See CONTRIBUTING.md for guidelines.


Built with Microsoft Presidio and spaCy.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

phi_guard-0.2.0.tar.gz (18.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

phi_guard-0.2.0-py3-none-any.whl (24.1 kB view details)

Uploaded Python 3

File details

Details for the file phi_guard-0.2.0.tar.gz.

File metadata

  • Download URL: phi_guard-0.2.0.tar.gz
  • Upload date:
  • Size: 18.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.3.2 CPython/3.11.9 Darwin/25.2.0

File hashes

Hashes for phi_guard-0.2.0.tar.gz
Algorithm Hash digest
SHA256 bc949b08378fc800e620d43a5e81d4cfe484c522033f785b6ad072d9c6e0b7f5
MD5 898ec63fe6e712d631a90e98648d0405
BLAKE2b-256 4218a911746ff8c1d12cb8d447e54d7ca6a3ba80f40c4a52159325a6149a1ce0

See more details on using hashes here.

File details

Details for the file phi_guard-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: phi_guard-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 24.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/2.3.2 CPython/3.11.9 Darwin/25.2.0

File hashes

Hashes for phi_guard-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 21d59c3b59ef1497c342f3838bc278f9b7840644a748d4b1b199020236db2b31
MD5 ee7b7f6cc70d8e8bd501c8bfe5d8a913
BLAKE2b-256 6f23f289a829770153cdb4a6cc6dd8dced2afd322c08b20bd51b40a1527df852

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page