SecretGuard
SecretGuard detects API keys, tokens, credentials, and other secrets in LLM input/output to prevent accidental leakage to model providers.
Overview
| Property |
Value |
| Latency |
<5ms |
| Memory |
80 KB |
| Async |
No |
| ML Required |
No |
| License |
Community |
Categories
| Category |
Pattern |
Examples |
| AwsKey |
AKIA... |
AWS access key IDs |
| GenericApiKey |
sk-*, key-*, api_key |
Common API key patterns |
| BearerToken |
Bearer ... |
Bearer authentication tokens |
| Jwt |
base64.base64.base64 |
JSON Web Tokens |
| GitHubToken |
ghp_*, gho_*, ghs_*, ghr_* |
GitHub personal access tokens |
| PrivateKey |
-----BEGIN PRIVATE KEY----- |
PEM-encoded private keys |
| StripeKey |
sk_live_*, pk_live_* |
Stripe API keys |
| DatabaseUrl |
postgres://, mysql:// |
Connection strings |
| SlackToken |
xoxb-*, xoxp-* |
Slack tokens |
| GenericSecret |
password=, secret= |
Credential assignments |
Usage
Rust
use oxideshield_guard::guards::SecretGuard;
use oxideshield_guard::{Guard, GuardAction};
let guard = SecretGuard::new("secrets")
.with_action(GuardAction::Block);
let result = guard.check("My AWS key is AKIAIOSFODNN7EXAMPLE");
assert!(!result.passed);
Python
from oxideshield import secret_guard
guard = secret_guard(action="block")
result = guard.check("My AWS key is AKIAIOSFODNN7EXAMPLE")
assert not result.passed
Configuration
guards:
- type: secret
action: block
categories:
- aws_key
- generic_api_key
- bearer_token
- jwt
- github_token
- private_key
- stripe_key
- database_url
- slack_token
- generic_secret
Research References