Privacy-aware logging hygiene linter for Python
Project description
Privlog
A privacy-aware linter for Python projects, designed to catch accidental leaks of sensitive data in logs and print statements before they reach production.
privlog is built to be a developer's first line of defense, integrating directly into your local workflow and CI/CD pipelines to enforce logging hygiene.
Why Privlog?
Accidentally logging sensitive data is a common source of security and privacy issues in production systems. Tokens, user identifiers, request bodies, and other sensitive values often end up in logs during development and debugging.
Privlog helps detect these risks early by scanning Python code for logging patterns that may expose sensitive data.
Quick Example
Given a file app/auth.py:
import logging
def reauthenticate_user(user_email):
# ...
logging.info(f"Initiating re-authentication for {user_email}")
# ...
Running privlog . will produce the following error:
app/auth.py:5:5 [ERROR] PL2101 Sensitive identifier passed to log. Hash/pseudonymize or omit.
Features
- High-Precision AST Analysis: Goes beyond simple regex to parse Python code, understanding variable names inside f-strings,
.format()calls, and more. - Severity System: Differentiates between definite leaks (
ERROR) and suspicious patterns that require manual review (WARNING), preventing false positives from breaking your build. - Built-in Heuristics: Flags risky patterns like logging entire dictionaries (
extra=...) orjson.dumps()output. print()Statement Detection: Catches sensitive data in leftoverprint()statements, a common source of leaks.- CI/CD Friendly: Exits with a non-zero code only on
ERRORfindings, allowing warnings to be reviewed without blocking development. - Configurable & Extensible: Teach
privlogabout your project's custom logging functions via a simplepyproject.tomlconfiguration.
Installation
It is highly recommended to install privlog within a project's virtual environment to avoid dependency conflicts.
Recommended (Virtual Environment):
# 1. Create and activate a virtual environment in your project directory
python -m venv .venv
source .venv/bin/activate # On Windows, use: .venv\Scripts\activate
# 2. Install privlog
pip install privlog
Global Installation: While not recommended for most workflows, you can also install it globally:
pip install privlog
Usage
Once installed, you can run privlog against a specific path, or run it by itself to scan the current directory.
Note:
privlogautomatically ignores common dependency and build directories (like.venv,site-packages,build, etc.) to reduce noise.
Default (Errors Only)
By default, privlog only reports high-confidence ERRORs. If any are found, it will exit with a non-zero code, failing your build.
# Scan a specific directory
privlog /path/to/your/project
# Or, from inside a project, scan the current directory
privlog .
If only warnings are found, the command will pass and provide a helpful message:
✅ privlog passed. No errors found.
(Warnings were found. Run with -w to show them)
Show Warnings
To see both ERRORs and WARNINGs, use the -w or --warnings flag.
# Scan a specific directory with warnings
privlog -w /path/to/your/project
# Or, from inside a project, scan the current directory with warnings
privlog -w .
This will display all findings, color-coded by severity, but will still only fail the build if ERRORs are present.
Configuring Custom Wrappers
You can teach privlog to recognize your own custom logging functions. In your project's pyproject.toml file, add a [tool.privlog.custom_wrappers] section.
For each custom function, specify its name and which of its keyword arguments should be treated as sensitive, along with the desired severity (ERROR or WARNING).
Example pyproject.toml:
[tool.privlog.custom_wrappers]
# For a function call like: audit(actor_id=user.id, event="login")
audit = { actor_id = "ERROR" }
# For a function call like: log_event("payment_failed", details=evt)
log_event = { details = "WARNING" }
privlog will automatically find and use this configuration when you run it.
Status
Privlog is currently in early development (v0.2.1). Feedback and contributions are welcome.
For Developers
To set up a development environment to contribute to privlog:
# 1. Clone the repository and navigate into the directory
git clone https://github.com/privlog-dev/privlog.git
cd privlog
# 2. Create and activate a virtual environment
python -m venv .venv
source .venv/bin/activate
# 3. Install the tool in editable mode with development dependencies
pip install -e .
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file privlog-0.2.1.tar.gz.
File metadata
- Download URL: privlog-0.2.1.tar.gz
- Upload date:
- Size: 13.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6a3d8df889006f851477d31d68adf20c76f718fe155ba2c0c6dbd1df45c4f05f
|
|
| MD5 |
1504160852c54cd8912318193bd684ed
|
|
| BLAKE2b-256 |
1dc06c7fd18ca2fc121a54984bd314bc205a7389497fbe2f919f2f8bc0881bbc
|
File details
Details for the file privlog-0.2.1-py3-none-any.whl.
File metadata
- Download URL: privlog-0.2.1-py3-none-any.whl
- Upload date:
- Size: 12.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
98c9d9c8e4abf2a0580215703fc26c72ec09221ef13d782d8b756ff8731abfad
|
|
| MD5 |
8931e29e06ecaf7e6af433f867246aaa
|
|
| BLAKE2b-256 |
b92e69215846a1e4ad44108ab2cbcaa984efd7b0f80d9ec64c165399c77d2f3c
|
