░ ░░░ ░░ ░░░░ ░░░░ ░░░ ░░ ░░░ ░░░░ ░░░ ░░
▒ ▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒
▓ ▓▓▓ ▓▓▓▓ ▓▓▓▓ ▓▓ ▓▓▓▓ ▓▓ ▓▓▓▓▓▓▓▓▓▓▓ ▓▓▓▓▓ ▓▓▓ ▓▓▓▓ ▓▓▓ ▓▓
█ ███ ███ ████████ ████ ██ ██ ████ █████ █████ ███ ███ ████ ████████ █
█ ████ ██ ██ ███ ████ ███ ██████ █████ ████ ███ ████ ██
Redactrus is a high-performance, production-grade security logging library for Go. It intercepts, sanitizes, and redacts sensitive data (such as passwords, API keys, JWTs, credit cards, emails, and SSNs) before it hits your logging sink.
It provides seamless adapters for logrus, standard library slog, zerolog, and any raw io.Writer streams.
- 8+ Built-in Redactors: Out-of-the-box support for
Password,APIKey,Email,JWT,BearerToken,AWSAccessKey,CreditCard, andSSN. - Field-level & String-level Redaction: Scrub structured JSON fields by exact key name or key pattern, and perform deep regex redaction on message text.
- HMAC Hash-based Redaction: Replace sensitive data with deterministic
[HASHED:<hex>]signatures to correlate events across systems safely. - OnRedaction Callbacks: Monitor and audit potential leaks in real-time.
- Multi-framework Support: Works out of the box with
sirupsen/logrus,log/slog,rs/zerolog, or any custom writer viaio.Writer. - Zero Allocations & Thread-safe: Regexes are pre-compiled and access is protected by standard synchronization.
go get github.com/ibreakthecloud/redactrusRequires Go 1.23 or newer.
import (
"github.com/ibreakthecloud/redactrus"
"github.com/sirupsen/logrus"
)
func main() {
logger := logrus.New()
// Create formatter wrapping standard logrus formatter
formatter := redactrus.NewDefaultRedactingFormatter(&logrus.JSONFormatter{}).
RedactFields("password", "api_key") // Redact structured field keys
logger.SetFormatter(formatter)
// Will redact message string and structured entry fields
logger.WithField("password", "123").Info("User logging in with password=123")
}import (
"log/slog"
"os"
"github.com/ibreakthecloud/redactrus"
)
func main() {
formatter := redactrus.NewDefaultRedactingFormatter(&logrus.JSONFormatter{}).
RedactFields("secret_token")
// Wrap any slog.Handler (e.g. JSONHandler)
handler := redactrus.NewRedactingHandler(slog.NewJSONHandler(os.Stdout, nil), formatter)
logger := slog.New(handler)
// Replaces value of secret_token with "[REDACTED]"
logger.Info("sensitive operation", slog.String("secret_token", "supersecret"))
}import (
"os"
"github.com/ibreakthecloud/redactrus"
"github.com/rs/zerolog"
)
func main() {
formatter := redactrus.NewDefaultRedactingFormatter(&logrus.JSONFormatter{})
// Wrap stdout to intercept and redact raw streams
writer := redactrus.NewZerologWriter(os.Stdout, formatter)
logger := zerolog.New(writer).With().Timestamp().Logger()
logger.Info().Msg("Accessing resource with api_key=sk-abc123XYZ")
}Instead of placing generic [REDACTED] markers in logs, you can set a global HMAC key. Secrets will be replaced with their HMAC-SHA256 signature, preserving quotes:
// Set key for deterministic hashing
redactrus.SetGlobalHashKey([]byte("my-internal-secure-key-123"))
// A log containing "password=mysecret" becomes:
// "password=[HASHED:2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae]"Get notified immediately when sensitive data is intercepted:
redactrus.SetGlobalRedactionCallback(func(redactorName, value string) {
metrics.IncrementCounter("logs.redacted", "redactor", redactorName)
if isHighlyCritical(value) {
alerting.Notify("Security leak detected in logs!")
}
})Contributions are welcome! Please read CONTRIBUTING.md and SECURITY.md before opening pull requests or reporting vulnerabilities.
This project is licensed under the MIT License - see the LICENSE file for details.