Skip to main content

Secrets Detection Configuration

secrets_detection:
  enabled: true
  action: redact
  entities:
    - OPENSSH_PRIVATE_KEY
    - PEM_PRIVATE_KEY
  max_scan_chars: 200000
  log_detected_types: true

Options

OptionDefaultDescription
enabledtrueEnable secrets detection
actionredactAction when secrets found
entitiesPrivate keysSecret types to detect
max_scan_chars200000Max characters to scan (0 = unlimited)
log_detected_typestrueLog detected types (never logs content)
redact_placeholder<SECRET_REDACTED_{N}>Placeholder format for redaction

Actions

ActionDescription
redactReplace secrets with placeholders, restore in response (default)
blockReturn HTTP 400, request never reaches LLM
route_localRoute to local LLM (requires route mode)

Redact (Default)

secrets_detection:
  action: redact

Block

secrets_detection:
  action: block

Route to Local

mode: route
secrets_detection:
  action: route_local

Secret Types

Private Keys (enabled by default)

secrets_detection:
  entities:
    - OPENSSH_PRIVATE_KEY  # -----BEGIN OPENSSH PRIVATE KEY-----
    - PEM_PRIVATE_KEY      # RSA, PRIVATE KEY, ENCRYPTED PRIVATE KEY

API Keys (opt-in)

secrets_detection:
  entities:
    - API_KEY_OPENAI   # sk-... (48+ chars)
    - API_KEY_AWS      # AKIA... (20 chars)
    - API_KEY_GITHUB   # ghp_, gho_, ghu_, ghs_, ghr_ (40+ chars)

Tokens (opt-in)

secrets_detection:
  entities:
    - JWT_TOKEN      # eyJ... (three base64 segments)
    - BEARER_TOKEN   # Bearer ... (40+ char tokens)

Performance

For large payloads, limit scanning: 
secrets_detection:
  max_scan_chars: 200000  # 200KB default
  # max_scan_chars: 0     # Scan entire request
Secrets placed after the limit won’t be detected.