PII and Data Scrubbing in Relay Static Mode
The following document explores the syntax and semantics of the configuration for Advanced Data Scrubbing, as consumed and executed by Relay. Sometimes, this is also referred to as PII scrubbing.
This guide applies when you are running Relay in Static Mode, and you do not want sensitive data to leave your premises. If you are running Managed Mode, or you are OK with sensitive data being scrubbed by Sentry's own servers, refer to Server-Side Data Scrubbing instead.
If you have an exception message which contains IP addresses that are not supposed to be there, you'd write:
{
"applications": {
"$string": ["@ip:replace"]
}
}
It reads as "replace all IP addresses in all strings", or "apply @ip:replace
to all $string
fields".
@ip:replace
is called a rule, and $string
is a selector.
The following rules exist by default:
@ip:replace
and@ip:hash
for replacing IP addresses.@imei:replace
and@imei:hash
for replacing IMEIs.@mac:replace
,@mac:mask
and@mac:hash
for matching MAC addresses.@email:mask
,@email:replace
and@email:hash
for matching email addresses.@creditcard:mask
,@creditcard:replace
and@creditcard:hash
for matching credit card numbers.@userpath:replace
and@userpath:hash
for matching local paths (e.g.C:/Users/foo/
).@password:remove
for removing passwords. In this case, we're pattern matching against the field's key, whether it containspassword
,credentials
, or similar strings.@anything:remove
,@anything:replace
and@anything:hash
for removing, replacing, or hashing any value. It's essentially equivalent to a wildcard-regex, but will also match more than strings.
Rules generally consist of two parts:
- Rule types describe what to match. See PII Rule Types for an exhaustive list.
- Rule redaction methods describe what to do with the match. See PII Redaction Methods for a list.
Each page has examples. Try them by pasting them into the "PII config" column of Piinguin and clicking on fields to get suggestions.
The easiest way to go about this is if you already have a raw JSON payload from some SDK. Go to our PII config editor Piinguin, and:
- Paste in a raw event
- Click on data you want eliminated
- Paste in other payloads and see if they look ok, go back to step 2 if necessary.
After iterating on the config, paste it back into the project config located at .relay/projects/<PROJECT_ID>.json
For example:
{
"publicKeys": [
{
"publicKey": "examplePublicKey",
"isEnabled": true
}
],
"config": {
"allowedDomains": ["*"],
"piiConfig": {
"rules": {
"device_id": {
"type": "pattern",
"pattern": "d/[a-f0-9]{12}",
"redaction": {
"method": "hash"
}
}
},
"applications": {
"freeform": ["device_id"]
}
}
}
}
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").