Blog
Articles about log sanitization, DevOps security, and building CLI tools.
Logs Are Documents: Treat Sanitization as Publishing, Not Filtering
A mental model that helps teams ship safer debugging artifacts without turning sanitization into a guessing game.
Common Redaction Mistakes: Over-Redaction, Under-Redaction, and Corrupted Semantics
Failure modes you can spot early, and how to design rules that do not create new problems.
CLI Sanitization vs Centralized Log Pipelines
A decision framework: when a CLI is enough, when pipelines win, and how to combine both.
Versioning Redaction Rules Without Breaking Users
A versioning strategy for sanitization tools that respects stability while still improving coverage.
Regression Testing Redaction Rules with Golden Fixtures
A practical approach to preventing rule drift: fixture suites, contracts, and reviewable diffs.
Design Guarantees: Dry-Run, Exit Codes, and CI-Friendly Behavior
How predictable behavior and boring exit codes make sanitization automatable and trustworthy.
LogShield v0.7.0: Regex Safety Hardening and Bounded Input Behavior
v0.7.0 adds per-line guardrails, bounded failure behavior for pathological input, and adversarial regression coverage without changing normal successful scan output.
Structured JSON Logs: Sanitization Without Breaking Parsers
How to redact secrets in JSON logs while preserving valid JSON, key names, and downstream tooling.
Docker and Kubernetes Logs: Sanitization Patterns That Matter
Common secret shapes in containerized systems and what to redact without breaking readability.
GitHub Issues and Pastebins: Share Logs Safely
A workflow for safe debugging collaboration: sanitize first, then share, with examples and gotchas.
CI Log Retention Is a Liability
Why build logs are a common leak surface and how to sanitize output safely in CI pipelines.
Redact Secrets Without Destroying Debug Value
How to keep structure, labels, and context so your logs remain useful after sanitization.
Sanitize Logs Before Sharing to Support Vendors
A simple playbook you can adopt today to share useful logs while avoiding credential leaks.
LogShield v0.6.0: Modern Token Coverage (GitHub, Slack, npm, PyPI, SendGrid)
v0.6.0 adds the tokens that actually leak in real logs—GitHub PATs, Slack tokens, npm credentials—without changing how the tool behaves.
Deterministic Redaction vs Heuristics: Why Predictability Wins in Incident Response
I tried entropy-based detection once. It found secrets the regex missed—and also flagged half my stack traces. Here's why I went back to boring, predictable rules.
What a Log Sanitizer Must Guarantee
A checklist of guarantees (determinism, reviewability, local-first) that make log redaction safe for real workflows.
Log Sanitization: Threat Model, Leak Paths, and Practical Controls
A pragmatic threat model for log leakage and the minimum controls that reduce risk without killing debugging.
Introducing LogShield v0.4.0
A foundation release focused on licensing clarity and documentation consistency, without changing engine or CLI behavior.
What LogShield Guarantees (and What It Refuses to Do)
A clear statement of scope, contracts, and non-goals behind a deterministic log sanitization tool.
How to Sanitize Logs in GitHub Actions
Step-by-step guide to automatically remove secrets from CI logs before they get stored or shipped.
Why I Built LogShield
The story behind LogShield and why deterministic log sanitization matters for DevOps teams.