HIPAA PHI scanner for CI/CD pipelines
Project description
๐บ๐ธ English | ๐ฐ๐ท ํ๊ตญ์ด
PHI Guard
HIPAA PHI scanner for CI/CD pipelines โ like gitleaks, but for healthcare data.
The Problem
Developers working on healthcare applications accidentally commit Protected Health Information (PHI) into code repositories:
# test_patient.py
def test_create_patient():
patient = Patient(
name="John Doe",
ssn="123-45-6789", # Real SSN in test fixture
mrn="MRN-00012345", # Real Medical Record Number
email="patient@email.com"
)
This is a HIPAA violation. Fines range from $50,000 to $1,500,000 per incident.
GitHub's Secret Scanning catches API keys and passwords โ but it has zero support for HIPAA's 18 PHI identifiers. PHI Guard fills that gap.
What PHI Guard Does
PHI Guard scans your codebase for 17 of 18 types of Protected Health Information defined by HIPAA:
| # | PHI Type | Status |
|---|---|---|
| 1 | Names | Excluded* |
| 2 | Geographic data (ZIP codes) | Supported |
| 3 | Dates (birth, admission, etc.) | Supported |
| 4 | Phone numbers | Supported |
| 5 | Fax numbers | Supported |
| 6 | Email addresses | Supported |
| 7 | Social Security Numbers | Supported |
| 8 | Medical Record Numbers | Supported |
| 9 | Health plan beneficiary numbers | Supported |
| 10 | Account numbers | Supported |
| 11 | Certificate/license numbers | Supported |
| 12 | Vehicle identifiers (VIN) | Supported |
| 13 | Device identifiers | Supported |
| 14 | URLs | Supported |
| 15 | IP addresses | Supported |
| 16 | Biometric identifiers | N/A |
| 17 | Full-face photographs | N/A |
| 18 | Ages over 89 | Supported |
*Names excluded to avoid false positives. See PROJECT_GUIDE.md for details.
Use Cases
Pre-commit Hook (Fast Mode)
Block PHI before it reaches the repository. Regex-only scanning completes in under 3 seconds.
# .pre-commit-config.yaml
repos:
- repo: https://github.com/eddykim/phi-guard
rev: v0.1.0
hooks:
- id: phi-guard
CI/CD Pipeline (Full Mode)
Scan every pull request with NLP-powered detection. Catches names, locations, and other unstructured PHI that regex can't detect.
# .github/workflows/phi-guard.yml
- uses: eddykim/phi-guard-action@v1
with:
mode: full
Installation
pip install phi-guard
# Download the spaCy language model (required)
python -m spacy download en_core_web_sm
Usage
# Scan current directory
phi-guard scan ./
# Scan specific file
phi-guard scan ./tests/fixtures/sample.py
# Custom confidence threshold (0.0-1.0)
phi-guard scan ./ --threshold 0.7
# Exclude patterns (gitignore style)
phi-guard scan ./ --exclude "tests/*" --exclude "*.md"
# Output as JSON (for CI/CD parsing)
phi-guard scan ./ --format json
# Output as SARIF (for GitHub Security tab)
phi-guard scan ./ --format sarif
How It Works
PHI Guard uses Microsoft Presidio for PII detection, enhanced with:
- Custom recognizers for healthcare-specific patterns (MRN, insurance IDs)
- Stricter SSN detection โ Presidio's default has a bug that filters out valid SSNs
- Dual-mode architecture โ fast regex for pre-commit, full NLP for CI/CD
- SARIF output โ integrates with GitHub Security tab
Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ PHI Guard โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ CLI (Typer + Rich) โ
โ โโโ phi-guard scan <path> โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Engine โ
โ โโโ scan_text() / scan_file() / scan_dir() โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Recognizers (17 PHI types) โ
โ โโโ SSN, MRN, Phone, Email, Fax โ
โ โโโ VIN, Driver's License, DEA, NPI โ
โ โโโ Medicare/Medicaid, Account, Device โ
โ โโโ ZIP Code, URL, IP, Age over 89, Dates โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Presidio AnalyzerEngine โ
โ โโโ RecognizerRegistry โ
โ โโโ SpacyNlpEngine (en_core_web_sm) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Why Not Just Use Presidio Directly?
You could! But PHI Guard provides:
- Healthcare focus โ Only HIPAA PHI, not generic PII
- CI/CD integration โ Pre-commit hooks, GitHub Actions, SARIF output
- Fixes Presidio bugs โ Default SSN recognizer has score 0.05 (too low to detect)
- Incremental scanning โ Only scan changed files in PRs
Development
# Clone and setup
git clone https://github.com/eddykim/phi-guard.git
cd phi-guard
poetry install
# Download spaCy model
poetry run python -m spacy download en_core_web_sm
# Run tests
poetry run pytest
# Run the CLI
poetry run phi-guard scan ./
License
Apache 2.0
Contributing
Contributions welcome! See CONTRIBUTING.md for guidelines.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file phi_guard-0.2.0.tar.gz.
File metadata
- Download URL: phi_guard-0.2.0.tar.gz
- Upload date:
- Size: 18.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.2 CPython/3.11.9 Darwin/25.2.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bc949b08378fc800e620d43a5e81d4cfe484c522033f785b6ad072d9c6e0b7f5
|
|
| MD5 |
898ec63fe6e712d631a90e98648d0405
|
|
| BLAKE2b-256 |
4218a911746ff8c1d12cb8d447e54d7ca6a3ba80f40c4a52159325a6149a1ce0
|
File details
Details for the file phi_guard-0.2.0-py3-none-any.whl.
File metadata
- Download URL: phi_guard-0.2.0-py3-none-any.whl
- Upload date:
- Size: 24.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/2.3.2 CPython/3.11.9 Darwin/25.2.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
21d59c3b59ef1497c342f3838bc278f9b7840644a748d4b1b199020236db2b31
|
|
| MD5 |
ee7b7f6cc70d8e8bd501c8bfe5d8a913
|
|
| BLAKE2b-256 |
6f23f289a829770153cdb4a6cc6dd8dced2afd322c08b20bd51b40a1527df852
|