Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

The --dry-run flag lets you run the full sanitization pipeline — validation, file reading, UTF-8 decoding, and sensitive-value detection — without writing any output file or creating any temporary files on disk. The terminal report is identical to a normal run, showing exactly which rule IDs would have triggered and how many times, so you can understand the scope of redaction before producing a sanitized copy.

Command

uv run evidence-sanitizer sanitize evidence.txt --output evidence.sanitized.txt --dry-run
Run with --dry-run first to understand what will be redacted before sharing the output file. This gives you a chance to confirm that the right rule families are triggering and that the evidence scope matches your expectations — with no output file created until you are ready.

Output Format

When rules trigger, dry-run output begins with Dry run: no output written followed by the same sorted rule-count report as a normal run:
Dry run: no output written
Rules triggered:
authorization.bearer: 1
cookie.value: 2
form.value: 1
header.secret: 1

When No Rules Trigger

If the input contains no values matching any rule, the report still confirms no output was written:
Dry run: no output written
Rules triggered: none

What Dry Run Does and Does Not Do

StepNormal runDry run
Validate input and output paths
Read and decode the input file
Run all sanitization rules
Print rule-count report to stdout
Write the sanitized output file
Create any temporary files
Dry run still validates the input file fully before doing anything else. It will fail on the same errors as a normal run: an unreadable or missing input file, a non-UTF-8 encoding, an input larger than 10 MiB, NUL bytes in the input, or any output path safety violation. This means a successful dry run also confirms that the input is valid and the output path is safe to use.

The --output Flag Is Required for Dry Run

Even when using --dry-run, you must still supply --output. The output path is validated as part of the safety checks — the command verifies that the path does not already exist, that its parent directory is present, and that it does not resolve to the same file as the input — before any reading or detection takes place.
# This will error — --output is required even with --dry-run
uv run evidence-sanitizer sanitize evidence.txt --dry-run

# Correct form
uv run evidence-sanitizer sanitize evidence.txt --output evidence.sanitized.txt --dry-run

Use Cases

Previewing before committing sanitized files Run --dry-run on evidence before adding the sanitized copy to a report or ticket. Confirm that authorization.bearer, cookie.value, and other expected rules triggered the right number of times, then re-run without the flag to produce the actual output. CI pipeline checks Use dry-run in a CI job to verify that evidence files in a repository trigger at least the expected rule families — without the job writing any files to the workspace. Check the exit code (0 for success, non-zero for any validation or I/O error) to gate the pipeline. Auditing evidence scope When an evidence file is handed off between team members, a dry-run pass confirms which credential categories are present before the file is shared further, without producing a new artifact that itself needs to be tracked.

Build docs developers (and LLMs) love