Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer is a local-first Python CLI that creates a sanitized copy of one evidence text file at a time. It detects credentials, tokens, cookies, and other secrets using deterministic rule families and replaces them with stable redaction markers — without ever exposing the detected values in output or reports.

Quickstart

Sanitize your first evidence file in under two minutes

Installation

Install with uv and verify your setup

Sanitize Command

Full reference for all flags and arguments

Sanitization Rules

All 12 rule families and their redaction markers

Why Evidence Sanitizer?

Penetration testers and application security engineers routinely paste HTTP captures, API logs, and trace outputs into reports, tickets, and repositories. These artifacts often contain live credentials — bearer tokens, session cookies, API keys, and signatures — that shouldn’t leave the testing environment. Evidence Sanitizer solves this by applying a fixed set of well-specified rules to a single evidence file and producing a clean copy with redaction markers in place of sensitive values.
1

Install with uv

Clone the repository and sync dependencies with uv.
git clone https://github.com/facunemi/evidence-sanitizer.git
cd evidence-sanitizer
uv sync
2

Run the sanitize command

Point Evidence Sanitizer at your evidence file and specify an output path. The input is never modified.
uv run evidence-sanitizer sanitize evidence.txt --output evidence.sanitized.txt
3

Review the safe report

The CLI prints only rule IDs and counts — never the detected values themselves.
Sanitized: evidence.txt -> evidence.sanitized.txt
Rules triggered:
authorization.bearer: 1
cookie.value: 3
header.secret: 1
query.secret: 2
4

Preview without writing

Use --dry-run to see which rules would trigger before creating any output file.
uv run evidence-sanitizer sanitize evidence.txt --output evidence.sanitized.txt --dry-run

Key Properties

Local-first

No network access, no telemetry, no cloud dependencies. Processing stays entirely on your machine.

Deterministic

The same input always produces the same output. Redaction markers are stable and predictable.

Idempotent

Re-running on already-sanitized evidence produces byte-identical output — safe to run multiple times.

Non-destructive

The input file is never modified. Output is always written to a separate, explicitly provided path.

Safe reporting

Reports contain only fixed rule IDs and counts. Detected values, header names, and cookie names are never included.

12 rule families

Covers Authorization, Proxy-Authorization, Cookie, sensitive headers, query parameters, JSON fields, and form bodies.
Evidence Sanitizer is best-effort within its documented rules. It is not a complete DLP system and does not guarantee removal of every secret. Always review sanitized output before sharing.

Build docs developers (and LLMs) love