TheDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
--dry-run flag lets you run the full sanitization pipeline — validation, file reading, UTF-8 decoding, and sensitive-value detection — without writing any output file or creating any temporary files on disk. The terminal report is identical to a normal run, showing exactly which rule IDs would have triggered and how many times, so you can understand the scope of redaction before producing a sanitized copy.
Command
Output Format
When rules trigger, dry-run output begins withDry run: no output written followed by the same sorted rule-count report as a normal run:
When No Rules Trigger
If the input contains no values matching any rule, the report still confirms no output was written:What Dry Run Does and Does Not Do
| Step | Normal run | Dry run |
|---|---|---|
| Validate input and output paths | ✅ | ✅ |
| Read and decode the input file | ✅ | ✅ |
| Run all sanitization rules | ✅ | ✅ |
| Print rule-count report to stdout | ✅ | ✅ |
| Write the sanitized output file | ✅ | ❌ |
| Create any temporary files | ❌ | ❌ |
Dry run still validates the input file fully before doing anything else. It will fail on the same errors as a normal run: an unreadable or missing input file, a non-UTF-8 encoding, an input larger than 10 MiB, NUL bytes in the input, or any output path safety violation. This means a successful dry run also confirms that the input is valid and the output path is safe to use.
The --output Flag Is Required for Dry Run
Even when using --dry-run, you must still supply --output. The output path is validated as part of the safety checks — the command verifies that the path does not already exist, that its parent directory is present, and that it does not resolve to the same file as the input — before any reading or detection takes place.
Use Cases
Previewing before committing sanitized files Run--dry-run on evidence before adding the sanitized copy to a report or ticket. Confirm that authorization.bearer, cookie.value, and other expected rules triggered the right number of times, then re-run without the flag to produce the actual output.
CI pipeline checks
Use dry-run in a CI job to verify that evidence files in a repository trigger at least the expected rule families — without the job writing any files to the workspace. Check the exit code (0 for success, non-zero for any validation or I/O error) to gate the pipeline.
Auditing evidence scope
When an evidence file is handed off between team members, a dry-run pass confirms which credential categories are present before the file is shared further, without producing a new artifact that itself needs to be tracked.