loki.secretfilter
EXPERIMENTAL: This is an experimental component. Experimental components are subject to frequent breaking changes, and may be removed with no equivalent replacement. The
stability.level
flag must be set toexperimental
to use the component.
loki.secretfilter
receives log entries and redacts sensitive information from them, such as secrets.
The detection is based on regular expression patterns, defined in the Gitleaks configuration file embedded within the component.
loki.secretfilter
can also use a custom configuration file based on the Gitleaks configuration file structure.
Caution
Personally Identifiable Information (PII) isn’t currently in scope and some secrets could remain undetected. This component may generate false positives or redact too much. Don’t rely solely on this component to redact sensitive information.
Note
This component operates on log lines and doesn’t scan labels or other metadata.
Usage
loki.secretfilter "<LABEL>" {
forward_to = <RECEIVER_LIST>
}
Arguments
loki.secretfilter
supports the following arguments:
The gitleaks_config
argument is the path to the custom gitleaks.toml
file.
The Gitleaks configuration file embedded in the component is used if you don’t provide the path to a custom configuration file.
Note
This component doesn’t support all the features of the Gitleaks configuration file. It only supports regular expression-based rules,
secretGroup
, and allowlist regular expressions.regexTarget
only supports the default valuesecret
. Other features such askeywords
,entropy
,paths
, andstopwords
aren’t supported. Theextend
feature isn’t supported. If you use a custom configuration file, you must include all the rules you want to use within the configuration file. Unsupported fields and values in the configuration file are ignored.
The types
argument is a map of secret types to look for.
The values provided are used as prefixes to match rules IDs in the Gitleaks configuration.
For example, providing the type grafana
matches the rules grafana-api-key
, grafana-cloud-api-token
, and grafana-service-account-token
.
If you don’t provide this argument, all rules are used.
Note
Configuring this argument with the secret types you want to look for is strongly recommended. If you don’t, the component looks for all known types, which is resource-intensive.
Caution
Some secret types in the Gitleaks configuration file rely on regular expression patterns that don’t detect the secret itself but rather the context around it. For example, the
aws-access-token
type detects AWS key IDs, not the keys themselves. This is because the keys don’t have a unique pattern that can easily be detected with a regular expression. As a result, with this secret type enabled, the component redacts key IDs but not actual secret keys. This behavior is consistent with the Gitleaks redaction feature but may not be what you expect. Currently, the secret types known to have this behavior are:aws-access-token
.
The redact_with
argument is a string that can use variables such as $SECRET_NAME
, replaced with the matching secret type, and $SECRET_HASH
, replaced with the SHA1 hash of the secret.
The include_generic
argument is a boolean that includes the generic API key rule in the Gitleaks configuration file if set to true
.
It’s disabled by default because it can generate false positives.
The allowlist
argument is a map of regular expressions to allow matching secrets.
A secret won’t be redacted if it matches any of the regular expressions. The allowlist in the Gitleaks configuration file is also applied.
The partial_mask
argument is the number of characters to show from the beginning of the secret before the redact string is added.
If set to 0
, the entire secret is redacted.
If a secret isn’t at least 6 characters long, it’s entirely redacted.
For short secrets, at most half of the secret is shown.
Blocks
The loki.secretfilter
component doesn’t support any blocks. You can configure this component with arguments.
Exported fields
The following fields are exported and can be referenced by other components:
Component health
loki.secretfilter
is only reported as unhealthy if given an invalid configuration.
Debug metrics
loki.secretfilter
doesn’t expose any component-specific debug information.
Example
This example shows how to use loki.secretfilter
to redact secrets from log lines before forwarding them to a Loki receiver.
It uses a custom redaction string that includes the secret type and its hash.
Replace the following:
<PATH_TARGETS>
: The paths to the log files to monitor.<LOKI_ENDPOINT>
: The URL of the Loki instance to send logs to.
Compatible components
loki.secretfilter
can accept arguments from the following components:
- Components that export Loki
LogsReceiver
loki.secretfilter
has exports that can be consumed by the following components:
- Components that consume Loki
LogsReceiver
Note
Connecting some components may not be sensible or components may require further configuration to make the connection work correctly. Refer to the linked documentation for more details.