Scrubbers help to redact sensitive data exposed in commands, command output (stdout, stderr), and file diffs.
To access the interface where you can define scrubbers:
- Click your project’s title to open the dropdown menu.
- Click Project & app settings, then choose Agent on the left panel:
Next, to define a scrubber:
- Click Add scrubber to open this menu:
- Name the scrubber, then select the data type it will apply to (“Command”, “File diff”, or “Output”).
- Consider unchecking the option Activate scrubber for new scrubbers while you thoroughly test them.
- Cmd scrubbers use RE2. Define the scrubber using this syntax.
- Wrap the data you want scrubbed in one or more capture groups.
- Test the scrubber by using the `Test string` section.
- The input field (on the left) is editable.
- The output field (on the right) shows the contents of the input field after passing through the scrubber defined above.
- When you are satisfied with your scrubber, click Save.
This screenshot shows a scrubber which redacts the passwords in unsafe Mysql commands:
We hope this table of working RE2 scrubbers provides some helpful starting points or inspiration.
Limiting line length
Cmd scrubbers read line by line. The Change line length option allows you to set an upper bound on how much data from each line will undergo scrubbing at once. The ‘line length’ setting defaults to 4,096 bytes, and its upper bound is 65,536 bytes; any part of a line that extends beyond it will still be scrubbed, but as part of a new line. This setting does not apply to Command scrubbers, only to output and file diff scrubbers.