A redacting Ruby logger to prevent the leaking of secrets via logs
This Gem wraps the official Ruby
loggerutility
You can download this Gem from GitHub Packages or RubyGems
Via a Gemfile:
source "https://rubygems.org"
gem "redacting-logger", "~> X.X.X" # Replace X.X.X with the latest versionrequire "redacting_logger"
# Create a new logger
logger = RedactingLogger.new(redact_patterns: [/topsecret/])
# Log a message that contains some redacted pattern
logger.info("This is a topsecret message.")This will output:
I, [timestamp] INFO -- : This is a [REDACTED] message.
require "redacting_logger"
# Create a new logger
logger = RedactingLogger.new(
$stdout, # The device to log to (defaults to $stdout if not provided)
redact_patterns: [/REDACTED_PATTERN1/, /REDACTED_PATTERN2/], # An array of Regexp patterns to redact from the logs
level: Logger::INFO, # The log level to use
redacted_msg: "[REDACTED]", # The message to replace the redacted patterns with
use_default_patterns: true # Whether to use the default built-in patterns or not
)
# Log a message that contains some redacted patterns
logger.info("This is a message with a REDACTED_PATTERN1 and REDACTED_PATTERN2 in it.")This will output:
I, [timestamp] INFO -- : This is a message with a [REDACTED] and [REDACTED] in it.
This Gem comes pre-built with a few redaction patterns to help you get started. These patterns can be located in lib/patterns/default.rb
A few examples of these patterns are:
- GitHub Personal Access Tokens
- GitHub Temporary Actions Tokens
- RSA Private Keys
- JWT Tokens
You can disable these default patterns with:
logger = RedactingLogger.new(
use_default_patterns: false # Whether to use the default built-in patterns or not
)