Security Configuration
Security settings live in the same two config scopes as other opentraces settings:
- global machine-local config:
~/.opentraces/config.json - per-repo portable marker:
<repo>/.opentraces.json
Inspect the effective config:
opentraces config show
opentraces --json config show
opentraces security tools list --json
opentraces doctor --security
Defaults
Every per-record security tool defaults off in a fresh config:
{
"security": {
"regex": { "enabled": false },
"entropy": { "enabled": false },
"trufflehog": { "enabled": false, "verify_secrets": false },
"privacy_filter": { "enabled": false, "model_name": "openai/privacy-filter" },
"llm_pii": { "enabled": false },
"business_logic": { "enabled": false },
"path_anonymizer": { "enabled": false },
"capsule_scope": { "enabled": false },
"classifier": { "enabled": false, "sensitivity": "medium" },
"llm_review": { "enabled": false }
}
}
Existing user config may show enabled tools if you previously opted in. The CLI reports the active state rather than the package default.
Dedicated Setup Commands
Prefer setup commands for tools with dependencies or provider configuration:
opentraces setup trufflehog --enable
opentraces setup trufflehog --disable
opentraces setup privacy-filter --enable --install-deps
opentraces setup privacy-filter --disable
opentraces setup llm-review
opentraces setup llm-review --print
opentraces setup llm-review --disable
trufflehog.verify_secrets remains false by default so opentraces does not
make outbound verification calls unless you explicitly configure that behavior.
Direct Config
Lightweight local tools can be enabled directly when you want --use-config
to pick them up:
opentraces config set security.regex.enabled true
opentraces config set security.entropy.enabled true
opentraces config set security.path_anonymizer.enabled true
opentraces config set security.classifier.enabled true
Use explicit --tools in workflow scripts when you want the tool list to be
auditable from the command itself:
printf '%s\n' '{"row":{"text":"..."}}' \
| opentraces security sanitize --tools regex,entropy,path_anonymizer
Bucket Security Policy
A bucket security policy is a named bundle over the same
cfg.security.<tool>.enabled flags set above. It is not a second config system:
applying a policy flips those same flags, scoped to the bucket, so the raw
captured evidence is protected before bucket remote push.
opentraces bucket security status
opentraces bucket security policy --policy recommended
opentraces bucket security policy --tool regex --enable
opentraces bucket security policy --tool entropy --disable
opentraces bucket security status --json
bucket security status is a read-only inspector. bucket security policy --policy applies an exact bundle and accepts only off|basic|recommended|strict.
bucket security policy --tool ... --enable / --tool ... --disable (repeatable)
edits one tool at a time, and bucket security run [--all | --trace <id>] applies
the configured filter to existing records. The setup bucket wizard also offers a
custom walkthrough that toggles each tool individually; custom is not a
--policy value.
| Policy | Tools |
|---|---|
off | (nothing) |
basic | regex, entropy |
recommended | regex, entropy, business_logic, path_anonymizer, classifier |
strict | regex, entropy, trufflehog, privacy_filter, business_logic, path_anonymizer, classifier |
LLM Review
llm_review is stored under security.llm_review, but it is not part of the
per-record sanitize registry. It is a dataset publication reviewer.
{
"security": {
"llm_review": {
"enabled": true,
"api_format": "openai-compat",
"base_url": "http://localhost:11434/v1",
"model": "gemma3n:e4b",
"api_key_env": "",
"timeout": 120.0,
"prompt_version": "1"
}
}
}
Project Marker
The repo-local .opentraces.json carries portable project policy such as
review policy, agents, remotes, and bucket defaults. Security tool settings can
be scoped there with --project, but machine-local provider credentials and
large optional dependencies usually belong in global config.
opentraces config set review_policy review --project
opentraces setup trufflehog --project --enable
Exclusions And Custom Strings
opentraces config set excluded_projects /path/to/private-repo --append
opentraces config set custom_redact_strings corp-api-prefix- --append
opentraces config set custom_redact_strings INTERNAL_BILLING_TOKEN --append
Exclusions prevent collection. Custom strings are available to tools/workflows that consult config during sanitization.