Sensitive Data Scanner
The sensitive data scanner monitors all tool traffic for patterns that look like credentials or sensitive data. When a match is found, the configured action is applied.
The scanner is disabled by default. Enable it in Settings.
How it works
Section titled “How it works”The scanner runs on every tool call passing through the gateway. It checks both the arguments (what the AI sends) and the response (what comes back from the server) for known patterns.
Pattern matching uses compiled regular expressions. The performance overhead is minimal.
Patterns
Section titled “Patterns”| Pattern | What it matches | Default severity |
|---|---|---|
| AWS Access Key | Strings starting with AKIA | Critical |
| GitHub Token | ghp_, gho_, ghs_ prefixed tokens | Critical |
| OpenAI Key | sk- prefixed keys | High |
| Stripe Key | sk_live_, pk_live_ prefixed keys | High |
| Private Key Block | -----BEGIN RSA PRIVATE KEY----- and similar | Critical |
| Database Connection String | postgres://user:pass@, mysql:// patterns | High |
| Credit Card Number | 16-digit number patterns | Medium |
| High Entropy String | Long random-looking strings | Medium |
Actions
Section titled “Actions”For each pattern type, choose one of:
Log: record the detection in the activity feed and Security Log but let the call proceed. Good for monitoring without disruption.
Block: deny the tool call entirely. The AI receives an error. Use this for patterns that should never appear in tool traffic.
Redact: replace the matched content with [REDACTED] before forwarding. The tool call still proceeds, but the sensitive data is stripped from the payload.
Configuration
Section titled “Configuration”Go to Settings and scroll to the Sensitive Data Scanner section.
- Toggle the scanner on or off globally
- Set the action for each pattern type independently
- See the detection count for the last 24 hours per pattern
Viewing detections
Section titled “Viewing detections”Scanner events appear in two places:
- Activity Log (Monitor tab 1): security alert cards with dismiss buttons
- Security Log (Monitor tab 3): aggregated into the threat dashboard with timeline and per-server breakdowns
You can dismiss individual alerts or clear them all. Dismissing an alert does not change the scanner configuration.