Evidence Sanitizer scans evidence text for JSON-likeDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/facunemi/evidence-sanitizer/llms.txt
Use this file to discover all available pages before exploring further.
"key": "value" pairs and redacts the string value when the key matches a known sensitive field name. The scanner is intentionally conservative — it uses raw string-level scanning rather than a full JSON parser, which means it handles valid JSON as found in typical evidence but does not validate, reserialize, or normalize JSON structure. Only direct string values are redacted; numbers, booleans, null, arrays, and objects are left unchanged.
Rule ID and Marker
| Rule ID | Marker |
|---|---|
json.value | <REDACTED:json.value> |
Sensitive JSON Field Names
The following field names triggerjson.value redaction (matched case-insensitively after ASCII lowercase normalization):
token, access_token, accesstoken, refresh_token, refreshtoken, id_token, idtoken, auth_token, authtoken, jwt, session, session_id, sessionid, sid, api_key, apikey, x_api_key, xapikey, password, passwd, pwd, client_secret, clientsecret, shared_secret, sharedsecret, private_key, privatekey, sig, signature, x_amz_signature, xamzsignature, x_goog_signature, xgoogsignature, client_assertion, clientassertion, saml_response, samlresponse
Before/After Example
From the README:json_api_body_mixed:
token_type, user_id, and theme are not in the sensitive field name list and are left unchanged.
Only Direct String Values
Thejson.value rule only redacts when the value is a JSON string literal (enclosed in ""). The following value types are not redacted even if the field name is in the sensitive list:
- Numbers:
{"token": 12345}→ unchanged - Booleans:
{"session": true}→ unchanged - Null:
{"sid": null}→ unchanged - Arrays:
{"access_token": ["a", "b"]}→ unchanged - Objects:
{"client_secret": {"key": "val"}}→ unchanged
Nested sensitive string fields inside arrays or objects may still be redacted if they independently form a matched
"key": "value" pair in the raw scan.Case-Insensitive Field Name Matching
Field names are normalized to ASCII lowercase before lookup."Access_Token", "ACCESS_TOKEN", and "access_token" all match the same entry.
Conservative Raw Scanning
The JSON scanner does not build a parse tree. It finds" characters in the text, attempts to parse a JSON string key, looks for : after the key, then looks for a " opening a string value. A match is only recorded when all three elements — quoted key, colon separator (with optional whitespace), and quoted string value — are found in sequence.
Strings containing CR or LF, or invalid escape sequences, cause the scanner to skip forward and continue rather than aborting.
Overlap Protection
The JSON scanner is evaluated last, after Authorization, Proxy-Authorization, Cookie, Sensitive Header, Form, and Query findings. If a candidate JSON value span overlaps any existing finding, the JSON finding is suppressed."synthetic-bearer-token" string in the JSON body overlaps with an authorization.bearer span, the json.value finding for that specific value is skipped. The Authorization finding is authoritative.
Folded Proxy-Authorization header spans are also registered as protected regions and prevent JSON findings from firing inside them.
Idempotence
If the string value payload (the content between the quotes) is already exactly<REDACTED:json.value>, no finding is produced.