Ask A BotPII and Data Scrubbing in Relay Static Mode
The following document explores the syntax and semantics of the configuration for Advanced Data Scrubbing, as consumed and executed by Relay. Sometimes, this is also referred to as PII scrubbing.
This guide applies when you are running Relay in Static Mode, and you do not want sensitive data to leave your premises. If you are running Managed Mode, or you are OK with sensitive data being scrubbed by Sentry's own servers, refer to Server-Side Data Scrubbing instead.
If you have an exception message which contains IP addresses that are not supposed to be there, you'd write:
{
"applications": {
"$string": ["@ip:replace"]
}
}
It reads as "replace all IP addresses in all strings", or "apply @ip:replaceto all $string fields".
@ip:replace is called a rule, and $string is a selector.
The following rules exist by default:
@ip:replaceand@ip:hashfor replacing IP addresses.@imei:replaceand@imei:hashfor replacing IMEIs.@mac:replace,@mac:maskand@mac:hashfor matching MAC addresses.@email:mask,@email:replaceand@email:hashfor matching email addresses.@creditcard:mask,@creditcard:replaceand@creditcard:hashfor matching credit card numbers.@userpath:replaceand@userpath:hashfor matching local paths (e.g.C:/Users/foo/).@password:removefor removing passwords. In this case, we're pattern matching against the field's key, whether it containspassword,credentials, or similar strings.@anything:remove,@anything:replaceand@anything:hashfor removing, replacing, or hashing any value. It's essentially equivalent to a wildcard-regex, but will also match more than strings.
Rules generally consist of two parts:
- Rule types describe what to match. See PII Rule Types for an exhaustive list.
- Rule redaction methods describe what to do with the match. See PII Redaction Methods for a list.
Each page has examples. Try them by pasting them into the "PII config" column of Piinguin and clicking on fields to get suggestions.
The easiest way to go about this is if you already have a raw JSON payload from some SDK. Go to our PII config editor Piinguin, and:
- Paste in a raw event
- Click on data you want eliminated
- Paste in other payloads and see if they look ok, go back to step 2 if necessary.
After iterating on the config, paste it back into the project config located at .relay/projects/<PROJECT_ID>.json
For example:
{
"publicKeys": [
{
"publicKey": "examplePublicKey",
"isEnabled": true
}
],
"config": {
"allowedDomains": ["*"],
"piiConfig": {
"rules": {
"device_id": {
"type": "pattern",
"pattern": "d/[a-f0-9]{12}",
"redaction": {
"method": "hash"
}
}
},
"applications": {
"freeform": ["device_id"]
}
}
}
}
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").