Lumigo Docs

Secret Masking

Secret masking allows you to keep sensitive data private. This sensitive data can include information like API keys, authentication tokens, passwords, or other types of critical information. Secret masking obscures the values stored for some data fields, preventing the critical values from being displayed and republished throughout the Lumigo platform. The fields to be masked are defined using regular expressions.

Example

A field with a value containing the substring "key" was masked with [Hidden Information]

Default Behavior

By default, Lumigo will apply secret masking on data fields that match common regexes like ".pass.", ".key.*", and so on. The full list of regexes matched by default is below:

LUMIGO_SECRET_MASKING_REGEX=[".*pass.*",".*key.*",".*secret.*",".*credential.*",".*passphrase.*","SessionToken","x-amz-security-token","Signature","Credential","Authorization"]
  • The field Key will not be masked for specific AWS service calls in which it is used for specifying the object (DynamoDB, S3 etc.)

Customization

To override the default regular expressions, add the LUMIGO_SECRET_MASKING_REGEX environment variable to your Lambda function’s definition:

Key

Value

LUMIGO_SECRET_MASKING_REGEX

["regex1", "regex2",...]

📘

Quick Tips

  • All the regexes are case-insensitive.
  • To completely disable secret masking default behvior, use an EMPTY list value: LUMIGO_SECRET_MASKING_REGEX = []

Updated 2 months ago


Secret Masking


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.