I built LogShield as an experiment in deterministic log sanitization. I wanted to see whether a purely rule-based approach could reliably remove secrets from logs without breaking structure or causing false positives.
LogShield is a small open-source CLI designed to work as a drop-in filter in pipelines:
- Reads from stdin, writes sanitized logs to stdout
- Explicit, inspectable rules (no probabilistic or ML-based masking)
- Same input → same output, every time
- Focused on avoiding false positives that break debugging
Typical use cases I had in mind:
- Sharing logs in issues, Slack, or support tickets
- CI/CD pipelines before uploading artifacts
- Log shipping to third-party services
Example:
cat app.log | logshield scan --strict > safe.log
The rule set is intentionally conservative and fully inspectable. I’m especially interested in feedback on:
Rule coverage vs. false-positive risk
Edge cases where this approach would fail or be unsafe
Situations where you would not trust a tool like this in your workflow
Repo: https://github.com/afria85/LogShield
Thanks for taking a look.