Go to Cmd
All Collections
Product Documentation
Setup
How to automatically scrub sensitive data
How to automatically scrub sensitive data
Use RE2 regular expressions to define custom scrubbers
Ben Ironside avatar
Written by Ben Ironside. Updated over a week ago

Scrubbers help to redact sensitive data exposed in commands, command output (stdout, stderr), and file diffs.

To access the interface where you can define scrubbers:

  • Click your project’s title to open the dropdown menu.

  • Click Project & app settings, then choose Agent on the left panel:


Next, to define a scrubber:

  • Click Add scrubber to open this menu:

  • Name the scrubber, then select the data type it will apply to (“Command”, “File diff”, or “Output”).

  • Consider unchecking the option Activate scrubber for new scrubbers while you thoroughly test them.

  • Cmd scrubbers use RE2. Define the scrubber using this syntax.

  • Wrap the data you want scrubbed in one or more capture groups.

  • Test the scrubber by using the `Test string` section.

  • The input field (on the left) is editable.

  • The output field (on the right) shows the contents of the input field after passing through the scrubber defined above.

  • When you are satisfied with your scrubber, click Save.


Example
This screenshot shows a scrubber which redacts the passwords in unsafe Mysql commands:

Scrubber suggestions
We hope this table of working RE2 scrubbers provides some helpful starting points or inspiration.

Limiting line length
Cmd scrubbers read line by line. The Change line length option allows you to set an upper bound on how much data from each line will undergo scrubbing at once. The ‘line length’ setting defaults to 4,096 bytes, and its upper bound is 65,536 bytes; any part of a line that extends beyond it will still be scrubbed, but as part of a new line. This setting does not apply to Command scrubbers, only to output and file diff scrubbers.  
 

Additional resources

RE2 documentation
 
 

Did this answer your question?