Skip to main content

Overview

It is common for sensitive data and Personally Identifiable Information (PII) to be passed around between services and it is important for compliance and security reasons that these be handled very carefully. Tusk provides methods for the redaction of sensitive data so that we can still test these services while being sure that sensitive data is not leaving your premises.

Transforms

We use the concept of Transforms to redact PII. You may configure Transforms either in the config.yaml or by directly supplying them into the call to initialize(). Every module’s instrumentation has its own separate configuration, because every module behaves differently. With that said, they all follow the same structure. A transform is made up of:
  1. A matcher
  2. An action

Matcher

A matcher denotes what exactly we want to act on. For example: 
  "matcher": {
    "pathPattern": "/api/user/*",
    "method": "POST",
    "jsonPath": "$.user.password"
  }
says we want to run a transform on only the JSON field at this jsonPath for requests that match the pathPattern and is POST.

Action

Actions specify how to mutate the span. For example: 
{
  "matcher": {
    "pathPattern": "/api/user/*",
    "method": "POST",
    "jsonPath": "$.user.password"
  },
  "action": {
    "type": "mask",
    "maskChar": "X",
  }
}
says we want to mask (replace) all password letters with ‘X’.
I