Show HN: PII-Shield – Log Sanitization Sidecar with JSON Integrity (Go, Entropy)
20 points| aragoss | 27 days ago |github.com
Why deterministic? So that "pass123" always hashes to the same "[HIDDEN:a1b2c]", allowing QA/Devs to correlate errors without seeing the raw data.
Key features: 1. JSON Integrity: It parses JSON, sanitizes values, and rebuilds it. It guarantees valid JSON output for your SIEM (ELK/Datadog). 2. Entropy Detection: Uses context-aware entropy analysis to catch high-randomness strings. 3. Fail-Open: Designed as a transparent pipe wrapper to preserve app uptime.
The project is open-source (Apache 2.0).
Repo: https://github.com/aragossa/pii-shield Docs: https://pii-shield.gitbook.io/docs/
I'd love your feedback on the entropy/threshold logic!
aragoss|27 days ago
maxbond|27 days ago
- Wouldn't this censor UUIDs? I want UUIDs to remain in my logs.
- The never "PII Shield" makes me think this would censor entities like names or social security numbers, rather than secrets. Not a big deal though.
aragoss|27 days ago
UUIDs: By default—no. Since UUIDs are Hex (limited charset 0-f), they have lower entropy than Base64 secrets. The threshold is tuned to sit safely above UUIDs but below API keys.
Naming: You are totally right. Currently, it focuses on "high-entropy PII" (passwords, auth tokens, session IDs) rather than names or SSNs. "Secrets Shield" might have been more precise, but naming is hard :)
gritspants|26 days ago
aragoss|26 days ago
If your team ends up trying it out and has any feature requests (or catches any edge cases), I’d love to hear them!
johnthescott|24 days ago
aragoss|24 days ago
unknown|27 days ago
[deleted]