PII and Data Scrubbing in Relay Static Mode

Syntax and semantics of the configuration for advanced data scrubbing, as consumed and executed by Relay.

The following document explores the syntax and semantics of the configuration for Advanced Data Scrubbing, as consumed and executed by Relay. Sometimes, this is also referred to as PII scrubbing.

This guide applies when you are running Relay in Static Mode, and you do not want sensitive data to leave your premises. If you are running Managed Mode, or you are OK with sensitive data being scrubbed by Sentry's own servers, refer to Server-Side Data Scrubbing instead.

If you have an exception message which contains IP addresses that are not supposed to be there, you'd write:

Copied
{
  "applications": {
    "$string": ["@ip:replace"]
  }
}

It reads as "replace all IP addresses in all strings", or "apply @ip:replaceto all $string fields".

@ip:replace is called a rule, and $string is a selector.

The following rules exist by default:

  • @ip:replace and @ip:hash for replacing IP addresses.
  • @imei:replace and @imei:hash for replacing IMEIs.
  • @mac:replace, @mac:mask and @mac:hash for matching MAC addresses.
  • @email:mask, @email:replace and @email:hash for matching email addresses.
  • @creditcard:mask, @creditcard:replace and @creditcard:hash for matching credit card numbers.
  • @userpath:replace and @userpath:hash for matching local paths (e.g.C:/Users/foo/).
  • @password:remove for removing passwords. In this case, we're pattern matching against the field's key, whether it contains password, credentials, or similar strings.
  • @anything:remove, @anything:replace and @anything:hash for removing, replacing, or hashing any value. It's essentially equivalent to a wildcard-regex, but will also match more than strings.

Rules generally consist of two parts:

Each page has examples. Try them by pasting them into the "PII config" column of Piinguin and clicking on fields to get suggestions.

The easiest way to go about this is if you already have a raw JSON payload from some SDK. Go to our PII config editor Piinguin, and:

  1. Paste in a raw event
  2. Click on data you want eliminated
  3. Paste in other payloads and see if they look ok, go back to step 2 if necessary.

After iterating on the config, paste it back into the project config located at .relay/projects/<PROJECT_ID>.json

For example:

Copied
{
  "publicKeys": [
    {
      "publicKey": "examplePublicKey",
      "isEnabled": true
    }
  ],
  "config": {
    "allowedDomains": ["*"],
    "piiConfig": {
      "rules": {
        "device_id": {
          "type": "pattern",
          "pattern": "d/[a-f0-9]{12}",
          "redaction": {
            "method": "hash"
          }
        }
      },
      "applications": {
        "freeform": ["device_id"]
      }
    }
  }
}
Help improve this content
Our documentation is open source and available on GitHub. Your contributions are welcome, whether fixing a typo (drat!) or suggesting an update ("yeah, this would be better").