You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+62-3
Original file line number
Diff line number
Diff line change
@@ -117,14 +117,73 @@ class MyFunction implements RequestHandler<String, String> {
117
117
}
118
118
```
119
119
120
-
### Support Java 11 and Above
120
+
### Support Java 11 and Above
121
121
122
122
Add the environment variable `JAVA_TOOL_OPTIONS` to your Lambda functions and set it to
123
123
`-Djdk.attach.allowAttachSelf=true` in addition to the manual code mentioned above.
124
124
125
125
### Supported Instrumentation Libraries
126
126
127
-
- Aws SDK V1
127
+
- Aws SDK V1
128
128
- Aws SDK V2
129
129
- Apache HTTP Client
130
-
- Apache Kafka
130
+
- Apache Kafka
131
+
132
+
### Secret scrubbing
133
+
134
+
The tracer will automatically scrub values for keys in payload objects such as HTTP request / response body, Lambda events, return value etc. that match (case-sensitively) the following regex patterns at any depth:
135
+
-`.*pass.*`
136
+
-`.*key.*`
137
+
-`.*secret.*`
138
+
-`.*credential.*`
139
+
-`.*passphrase.*`
140
+
-`SessionToken`
141
+
-`x-amz-security-token`
142
+
-`Signature`
143
+
-`Authorization`
144
+
This behavior can be overridden by setting the `LUMIGO_SECRET_MASKING_REGEX` environment variable to a JSON array of regex patterns to match, e.g.: `[".+top.secret.+", ".+pazzword.+"]`.
145
+
146
+
#### Notes
147
+
1. providing a bad regex pattern (e.g., invalid JSON string) will result in an error and fallback to the default patterns.
148
+
2. Only values that are strings are redacted - objects, numbers etc. will stay intact even though their keys match the patterns.
149
+
150
+
#### Escaping special characters
151
+
When the patterns contain special characters such as double quotes (`"`) or backslashes (`\`), those should be escaped with a backslash (`\`).
152
+
153
+
For example, the pattern for keys with whitespaces and quotes like `"key\s+spaced"` becomes `\"key\\\\s+spaced\"`. That's because each double quotes turns into `\"`, and the `\s+` expression requires the backslash character to be escaped both in the string context (`\s+` => `\\s+`) and again in a JSON string context (`\\s+` => `\\\\s+`). When placed into the env-var as an array-item, this becomes:
154
+
```
155
+
["\\"key\\\\s+spaced\\""]
156
+
```
157
+
158
+
#### Examples
159
+
160
+
`LUMIGO_SECRET_MASKING_REGEX` set to `[".*top\\\\s+secret.*", ".*password.*"]` for a payload object like:
161
+
```json
162
+
{
163
+
"top secret": {
164
+
"password": "123456"
165
+
},
166
+
"top secret object": {
167
+
"this will not be scrubbed since the parent is an object": "123456"
168
+
},
169
+
"password": "123456",
170
+
"top secret:": "123456",
171
+
"not so secret": "value",
172
+
"ToP sEcReT": "is case sensitive"
173
+
}
174
+
```
175
+
will result in the following payload shown in the Lumigo platform:
176
+
```json
177
+
{
178
+
"top secret": {
179
+
"password": "****"
180
+
},
181
+
"top secret object": {
182
+
"this will not be scrubbed since the parent is an object": "123456"
0 commit comments