Evidence Sanitizer is a local-first Python CLI that creates a sanitized copy of one evidence text file at a time. It detects credentials, tokens, cookies, and other secrets using deterministic rule families and replaces them with stable redaction markers — without ever exposing the detected values in output or reports.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
Quickstart
Sanitize your first evidence file in under two minutes
Installation
Install with uv and verify your setup
Sanitize Command
Full reference for all flags and arguments
Sanitization Rules
All 12 rule families and their redaction markers
Why Evidence Sanitizer?
Penetration testers and application security engineers routinely paste HTTP captures, API logs, and trace outputs into reports, tickets, and repositories. These artifacts often contain live credentials — bearer tokens, session cookies, API keys, and signatures — that shouldn’t leave the testing environment. Evidence Sanitizer solves this by applying a fixed set of well-specified rules to a single evidence file and producing a clean copy with redaction markers in place of sensitive values.Install with uv
Clone the repository and sync dependencies with uv.
Run the sanitize command
Point Evidence Sanitizer at your evidence file and specify an output path. The input is never modified.
Review the safe report
The CLI prints only rule IDs and counts — never the detected values themselves.
Key Properties
Local-first
No network access, no telemetry, no cloud dependencies. Processing stays entirely on your machine.
Deterministic
The same input always produces the same output. Redaction markers are stable and predictable.
Idempotent
Re-running on already-sanitized evidence produces byte-identical output — safe to run multiple times.
Non-destructive
The input file is never modified. Output is always written to a separate, explicitly provided path.
Safe reporting
Reports contain only fixed rule IDs and counts. Detected values, header names, and cookie names are never included.
12 rule families
Covers Authorization, Proxy-Authorization, Cookie, sensitive headers, query parameters, JSON fields, and form bodies.
Evidence Sanitizer is best-effort within its documented rules. It is not a complete DLP system and does not guarantee removal of every secret. Always review sanitized output before sharing.