Evidence Sanitizer is intentionally best-effort within its documented rules. It applies a fixed set of deterministic, line-oriented patterns to HTTP-style text evidence. Formats, encodings, and patterns that fall outside the approved rule set may retain raw secrets in the output. Understanding these limitations is essential to reviewing sanitized output correctly before sharing it.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
Unsupported Body Formats
The following body formats are not parsed and will not have secrets redacted within them:- Multipart bodies — multipart MIME parsing is not implemented. Secrets inside
multipart/form-dataparts are not redacted. - XML bodies — XML parsing is not implemented. Secrets inside XML elements or attributes are not redacted.
- HTML and JavaScript — HTML and JavaScript parsing are not implemented. Tokens embedded in HTML attributes, inline scripts, or JavaScript objects are not redacted.
- Full JSON parsing — JSON support is conservative raw string-key/string-value scanning only. The scanner does not use
json.loads(), does not validate JSON structure, and does not reserialize. It matches only literal"key": "value"string pairs for an approved fixed list of field names. - Non-string JSON values — numbers, booleans,
null, arrays, and top-level object values are not redacted. Only direct string values of approved field names are in scope. - Form bodies without a Content-Type gate — form-urlencoded scanning is activated only when a physical line-start
Content-Type: application/x-www-form-urlencodedheader is present and followed by a blank header/body separator. Rawname=valuestrings without that header are not scanned. - Multi-line form bodies — only the immediate first physical line after the blank header/body separator is scanned. Wrapped or multi-line form bodies are not supported.
- Percent-encoded and plus-encoded form fields — no percent-decoding or plus-decoding is performed on form field names or values. A field name such as
access%5Ftokendoes not matchaccess_tokenand may retain a sensitive value. - Semicolon-separated form fields —
&is the only supported form field separator. Semicolon-separated form fields are not parsed. - No full HTTP parser — the tool does not implement Content-Length-based body parsing or chunked transfer decoding. Body boundaries are inferred from blank separator lines only.
Unsupported Header Patterns
Set-Cookieheader — response cookie sanitization is not implemented. Secrets inSet-Cookievalues are not redacted.- Proxy and forwarding headers —
Proxy-Authenticate,WWW-Authenticate,X-Proxy-Authorization,Forwarded,X-Forwarded-*,X-Original-*, andViaare out of scope. Only exact line-startProxy-Authorizationheaders are handled. - Folded or indented headers — if a supported header line (such as
Cookie:, a sensitive header, orProxy-Authorization:) is immediately followed by a physical line beginning with a space or tab (an HTTP header fold), the complete folded form is left unchanged. Folded-header parsing is deferred. This is a residual false-negative risk: folded header values may remain in output.
Unsupported URL Patterns
- Recursive URL parsing — nested URLs in query parameter values are not recursively parsed. A sensitive parameter embedded in a URL-valued query parameter (for example,
redirect_uri=https://example.test/cb?access_token=abc) may be redacted only if the outer field name is itself sensitive and the form or query rules apply. - URL decoding and re-encoding — the tool operates on raw decoded text. Percent-encoded characters in URLs are not decoded before matching. A URL-encoded query parameter name such as
access%5Ftokendoes not match the approved nameaccess_token. - Percent-encoded query parameter names — see above. Encoded names are not decoded and will not match the approved parameter name set.
Unsupported Processing Modes
- Directory scanning and batch processing — the tool processes exactly one file per invocation. There is no recursive directory mode or batch processing mode.
- Entropy-based secret detection — the tool uses only fixed approved rule patterns. High-entropy string detection, regular-expression pattern libraries, and heuristic scanning are not implemented.
- Arbitrary regex, configurable rules, and user-defined patterns — the approved rule set is fixed. There is no configuration file, plugin system, or mechanism to add custom patterns at runtime.
Output and Filesystem Limitations
- No atomic output replacement guarantee — the tool creates the output file exclusively and writes directly to it. If the process is terminated abruptly during writing, a partial output file may be left at the destination path.
- Partial output on abrupt termination — on a controlled write failure, the tool attempts to remove the incomplete output file, but this cleanup is best-effort and may not succeed in all cases.
- No file metadata preservation — the output file is a new file created with normal platform defaults. Permissions, ownership, timestamps, ACLs, and extended attributes from the input file are not copied to the output.
Roadmap Items
The following are tentative areas of future work noted in the project roadmap. They are not current behavior and should not be assumed to be available:- Additional signature headers — coverage of further cloud or platform-specific signature headers beyond the current
header.secretset. - Optional JSON report output — a machine-readable report format as an alternative to the current plain-text CLI summary.