Open Source CLI Tool

Your logs often contain secrets. Removes them before you share.

Redact API keys, tokens, and credentials before logs reach CI, GitHub issues, Slack, or third-party support. No AI. No cloud. No config.

$ npm install -g logshield-cli
Documentation View on GitHub
logshield scan
Ready
The Problem

Secrets leak through logs

One accidental console.log() with an API key exposes your infrastructure. Once it's in your logs, it flows everywhere.

Logs flow everywhere

Bug reports, Slack channels, monitoring services, support tickets. Each destination is a potential leak point.

sk_live_4f9e... -> Datadog
AKIA7X3F... -> Slack #bugs
ghp_1234... -> GitHub Issue

Debug pressure

When production is down, devs paste logs without checking for secrets. Speed beats security in the moment.

Hidden exposure

Secrets in logs sit in third-party systems for months. You don't know they're exposed until it's too late.

The Solution

Deterministic sanitization

LogShield uses explicit pattern matching. The same input always produces the same output. You can write tests against it and trust the results.

01

Zero configuration

No flags, config files, or setup required. STDIN to STDOUT automatically. Works the moment you install it.

02

Structure preserved

Format, whitespace, and context stay intact. Only the sensitive values are replaced. Safe for debugging, diff, and audit.

03

Zero false positives

Explicit patterns mean we only redact what matches. No accidental corruption of legitimate data. No broken JSON.

04

CI/CD native

Use --fail-on-detect to break your pipeline if secrets are found. Exit codes are stable and documented.

Explicit behavior

What LogShield is NOT

Tools should be transparent about what they do and don't do.

Not AI or ML-based. Rules are explicit and inspectable.
No cloud processing. Logs never leave your machine.
CLI has no telemetry. No tracking. No data collection.
No mutation of log structure. Output is always diffable.
Designed for

Fits your existing workflow

CI/CD Pipelines

Add to any build step

Log Shipping

Before Datadog, Splunk

Local Debugging

Safe to paste anywhere

Incident Reports

Share logs without risk

Advanced usage

Common patterns

--dry-run Report only

Report detected redactions only. Does not output log content.

cat app.log | logshield scan --dry-run
--strict Security-first

Aggressive detection for logs shared externally. Redacts more patterns.

cat app.log | logshield scan --strict
--fail-on-detect CI gate

Exit with code 1 if secrets found. Blocks pipeline.

logshield scan --dry-run --fail-on-detect < logs.txt
--summary Compact report

Rule-based summary of what was redacted.

cat app.log | logshield scan --summary
Deterministic guarantees

Same input produces same output. No randomness. No environment-dependent behavior. Safe for CI, audits, and reproducible builds.

CLI reference

Flags

--strict
Strict mode

Aggressive, security-first redaction

--dry-run
Dry run

Report detected redactions only

--fail-on-detect
Fail on detect

Exit code 1 if secrets found (CI-safe)

--summary
Summary

Print compact redaction summary

--json
JSON output

Machine-readable output for tooling

--stdin
Force stdin

Explicitly read from stdin

How it works

Pipe in logs. Get safe output.

LogShield reads from stdin, applies explicit rules, and writes sanitized logs to stdout. Structure preserved. Secrets replaced.

-> STDIN is auto-detected when piped.

terminal
1# Install globally
2npm install -g logshield-cli
3
4# Basic usage
5cat app.log | logshield scan > safe.log
6
7# Strict mode
8cat debug.log | logshield scan --strict
9
10# CI gate
11logshield scan --dry-run --fail-on-detect < build.log
12
13# Docker pipeline
14docker logs app | logshield scan | upload-logs

Add LogShield to your workflow

Install and sanitize your first log file. No signup. No config. No cloud.

$ npm install -g logshield-cli
Read Documentation Star on GitHub