Automatically mask sensitive values (API keys, passwords, tokens) in logs and print output

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for philiprehberger from gravatar.com philiprehberger Avatar for scopeforgedadmin from gravatar.com scopeforgedadmin

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Philip Rehberger
  • Tags logging , mask , redact , secrets , security , sensitive
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

philiprehberger-masked-print

Tests PyPI version Last updated

philiprehberger-masked-print

Automatically mask sensitive values (API keys, passwords, tokens) in logs and print output.

Installation

pip install philiprehberger-masked-print

Usage

from philiprehberger_masked_print import mask, mask_dict, MaskedFormatter

# Mask a single string
masked = mask("sk-abc123secret456xyz")
# "sk-a*************xyz"

Mask dictionaries

config = {
    "host": "localhost",
    "password": "super-secret-value",
    "database": {
        "connection_string": "postgres://admin:pass@localhost/db",
    },
}

safe = mask_dict(config)
# {
#     "host": "localhost",
#     "password": "supe***********lue",
#     "database": {
#         "connection_string": "post*****************/db",
#     },
# }

Target nested keys with path globs

mask_dict() accepts dotted path globs to mask specific nested fields without touching the default key heuristics.

config = {
    "database": {
        "primary":   {"host": "db1", "password": "p1"},
        "replica":   {"host": "db2", "password": "p2"},
    },
    "auth": {"public_key": "pk", "token": "tk"},
}

safe = mask_dict(
    config,
    paths=["database.*.password", "auth.token"],
)
# database.primary.password and database.replica.password are masked
# auth.token is masked; auth.public_key is left alone

A * in a path glob matches a single segment. Path matching runs in addition to the default sensitive_keys matching, so both rule sets compose.

Extend defaults at runtime

from philiprehberger_masked_print import register_pattern, register_sensitive_key

# Add a domain-specific secret pattern picked up by MaskedFormatter
register_pattern(r"PINPIN-\d{4,}")

# Add a custom key that mask_dict should treat as sensitive
register_sensitive_key("session_id")

Auto-mask log output

import logging
from philiprehberger_masked_print import MaskedFormatter

handler = logging.StreamHandler()
handler.setFormatter(MaskedFormatter("%(levelname)s: %(message)s"))

logger = logging.getLogger("app")
logger.addHandler(handler)
logger.setLevel(logging.DEBUG)

logger.info("Using key sk-proj-abc123def456ghi789jkl012mno")
# INFO: Using key sk-p*************************mno

API

Function / Class Description
mask(value, *, show_first=4, show_last=3, mask_char="*") Mask a string, keeping the first and last N characters visible
mask_dict(data, *, sensitive_keys=None, paths=None, show_first=4, show_last=3) Recursively mask sensitive key values; paths targets nested keys with dotted globs like "database.*.password"
MaskedFormatter(fmt) Logging formatter that auto-redacts secret patterns (sk-..., eyJ..., AKIA..., URL credentials)
register_pattern(pattern) Register an extra regex pattern for MaskedFormatter to redact
register_sensitive_key(key) Add a key substring to the default sensitive-key set used by mask_dict

Development

pip install -e .
python -m pytest tests/ -v

Support

If you find this project useful:

Star the repo

🐛 Report issues

💡 Suggest features

❤️ Sponsor development

🌐 All Open Source Projects

💻 GitHub Profile

🔗 LinkedIn Profile

License

MIT

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for philiprehberger from gravatar.com philiprehberger Avatar for scopeforgedadmin from gravatar.com scopeforgedadmin

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Philip Rehberger
  • Tags logging , mask , redact , secrets , security , sensitive
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.3.0

0.2.0

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

philiprehberger_masked_print-0.3.0.tar.gz (196.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

philiprehberger_masked_print-0.3.0-py3-none-any.whl (6.6 kB view details)

Uploaded Python 3

File details

Details for the file philiprehberger_masked_print-0.3.0.tar.gz.

File metadata

File hashes

Hashes for philiprehberger_masked_print-0.3.0.tar.gz
Algorithm Hash digest
SHA256 f82b412948bd6e431caecf874dde27ec761ac8ceb6ef021e3ebcaf1b65c2877f
MD5 a61a976cf080db48c63494676af84fea
BLAKE2b-256 f2b664d35eb35e827ac766276d1263129affa760d1325ae7b08d88a9f67ffaa5

See more details on using hashes here.

File details

Details for the file philiprehberger_masked_print-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for philiprehberger_masked_print-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e950e7b94fc6f0f9fc49643726375a1c9fe90f4ca02eb7bfa7daa663edd73a8e
MD5 52c4ece9c8b6426dcdc2be0ef5c26717
BLAKE2b-256 29e86c6f44fc4c1d0528984bd502a4ddf291562abd3d8372d9bc03ef95b56b4c

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page