Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt

Use this file to discover all available pages before exploring further.

Evidence Sanitizer is intentionally best-effort within its documented rules. It applies a fixed set of deterministic, line-oriented patterns to HTTP-style text evidence. Formats, encodings, and patterns that fall outside the approved rule set may retain raw secrets in the output. Understanding these limitations is essential to reviewing sanitized output correctly before sharing it.
Always manually review sanitized output before distributing it. The tool reports which rule families triggered and how many times, but it cannot report what it missed. A zero-count report does not mean the file contains no secrets — it means none of the supported rules matched.

Unsupported Body Formats

The following body formats are not parsed and will not have secrets redacted within them:
  • Multipart bodies — multipart MIME parsing is not implemented. Secrets inside multipart/form-data parts are not redacted.
  • XML bodies — XML parsing is not implemented. Secrets inside XML elements or attributes are not redacted.
  • HTML and JavaScript — HTML and JavaScript parsing are not implemented. Tokens embedded in HTML attributes, inline scripts, or JavaScript objects are not redacted.
  • Full JSON parsing — JSON support is conservative raw string-key/string-value scanning only. The scanner does not use json.loads(), does not validate JSON structure, and does not reserialize. It matches only literal "key": "value" string pairs for an approved fixed list of field names.
  • Non-string JSON values — numbers, booleans, null, arrays, and top-level object values are not redacted. Only direct string values of approved field names are in scope.
  • Form bodies without a Content-Type gate — form-urlencoded scanning is activated only when a physical line-start Content-Type: application/x-www-form-urlencoded header is present and followed by a blank header/body separator. Raw name=value strings without that header are not scanned.
  • Multi-line form bodies — only the immediate first physical line after the blank header/body separator is scanned. Wrapped or multi-line form bodies are not supported.
  • Percent-encoded and plus-encoded form fields — no percent-decoding or plus-decoding is performed on form field names or values. A field name such as access%5Ftoken does not match access_token and may retain a sensitive value.
  • Semicolon-separated form fields& is the only supported form field separator. Semicolon-separated form fields are not parsed.
  • No full HTTP parser — the tool does not implement Content-Length-based body parsing or chunked transfer decoding. Body boundaries are inferred from blank separator lines only.

Unsupported Header Patterns

  • Set-Cookie header — response cookie sanitization is not implemented. Secrets in Set-Cookie values are not redacted.
  • Proxy and forwarding headersProxy-Authenticate, WWW-Authenticate, X-Proxy-Authorization, Forwarded, X-Forwarded-*, X-Original-*, and Via are out of scope. Only exact line-start Proxy-Authorization headers are handled.
  • Folded or indented headers — if a supported header line (such as Cookie:, a sensitive header, or Proxy-Authorization:) is immediately followed by a physical line beginning with a space or tab (an HTTP header fold), the complete folded form is left unchanged. Folded-header parsing is deferred. This is a residual false-negative risk: folded header values may remain in output.

Unsupported URL Patterns

  • Recursive URL parsing — nested URLs in query parameter values are not recursively parsed. A sensitive parameter embedded in a URL-valued query parameter (for example, redirect_uri=https://example.test/cb?access_token=abc) may be redacted only if the outer field name is itself sensitive and the form or query rules apply.
  • URL decoding and re-encoding — the tool operates on raw decoded text. Percent-encoded characters in URLs are not decoded before matching. A URL-encoded query parameter name such as access%5Ftoken does not match the approved name access_token.
  • Percent-encoded query parameter names — see above. Encoded names are not decoded and will not match the approved parameter name set.

Unsupported Processing Modes

  • Directory scanning and batch processing — the tool processes exactly one file per invocation. There is no recursive directory mode or batch processing mode.
  • Entropy-based secret detection — the tool uses only fixed approved rule patterns. High-entropy string detection, regular-expression pattern libraries, and heuristic scanning are not implemented.
  • Arbitrary regex, configurable rules, and user-defined patterns — the approved rule set is fixed. There is no configuration file, plugin system, or mechanism to add custom patterns at runtime.

Output and Filesystem Limitations

  • No atomic output replacement guarantee — the tool creates the output file exclusively and writes directly to it. If the process is terminated abruptly during writing, a partial output file may be left at the destination path.
  • Partial output on abrupt termination — on a controlled write failure, the tool attempts to remove the incomplete output file, but this cleanup is best-effort and may not succeed in all cases.
  • No file metadata preservation — the output file is a new file created with normal platform defaults. Permissions, ownership, timestamps, ACLs, and extended attributes from the input file are not copied to the output.

Roadmap Items

The following are tentative areas of future work noted in the project roadmap. They are not current behavior and should not be assumed to be available:
  • Additional signature headers — coverage of further cloud or platform-specific signature headers beyond the current header.secret set.
  • Optional JSON report output — a machine-readable report format as an alternative to the current plain-text CLI summary.
Roadmap items are subject to explicit approval before implementation. Unsupported formats may retain secrets until they are explicitly specified, implemented, and tested.

Build docs developers (and LLMs) love