Setup & Integrations
Resolve Features
Sensitive Data Redaction
note this feature is in preview for issues, please contact support\@resolve ai mailto\ support\@resolve ai resolve can redact data to ensure no leaked sensitive data in your logs or traces even reaches resolve ai's storage layer the redaction approach you choose depends on the selected integration, whether using an on prem setup or a cloud based observability tool sensitive data includes personally identifiable information (pii), customer identifiable information (cii), cardholder data (chd) protecting this data ensures compliance with industry standards, including pci, dss, and gdpr there are 3 options for sensitive data redaction cloud advanced settings in the resolve page for a cloud based integration satellite data redaction capabilities with standard regexes sidecar deploy alongside the satellite to customize redaction logic data subject to redaction the following categories of sensitive information are subject to redaction logs entire raw log messages spans / traces attributes and tags metrics all metric names and label values redacted data patterns redaction is based on a list of regex expressions on common sensitive data see the full list below email phone number dob credit card number bank account card expiration date ssn ein ip address us street address option 1 redaction for cloud integrations sensitive data redaction can be enabled on a per integration basis open the desired integration, such as datadog , lightstep , or scalyr enable the redaction config within the integration settings by default, resolve ai redacts the all json paths listed in the "supported data types and observability platforms" section above you can also specify additional custom target json paths to redact as needed e g; $ data\[ ] attributes spans\[ ] mytags option 2 on prem redaction from satellite sidecar sensitive data redaction can be enabled on a per integration basis from the resolve satellite /resolve satellite md prerequisites the resolve satellite should already be installed in your environment if you need assistance with installation, refer to the instructions provided in resolve satellite /resolve satellite md section if you need assistance with the installation, refer to the instructions provided in the respective observability tool integration documentation the specific integration you want to redact data for should be set up through the resolve satellite update integration configuration update your helm values override file (e g resolve values yaml ) with the redactionconfig configuration for a specific integration (e g lightstep) resolve values yaml integrations lightsteponprem type "lightstep" create true connection token "your lightstep api token" orgid "your lightstep org id" projectid "your lightstep project id" servicemapenabled true redactionconfig enabled true install the satellite and apply the values from the yaml file that you have just updated e g resolve values yaml to find the latest version, visit resolve ai's docker hub repository for the helm chart and satellite apply config to satellite and redeploy helm upgrade install oci //registry 1 docker io/resolveaihq/satellite chart version \<latestchart> values resolve values yaml set image tag=\<latestimage> once your satellite is deployed, resolve automatically redacts sensitive data specific to its configured integration verify redaction is enabled login to https //app0 resolve ai/ https //app0 resolve ai/ go to the integrations page and and select the integration for which you enabled sensitive data redaction (e g lightstep) you should see an automatically created integration based on the provided configuration, including whether redaction is enabled security sidecar the security sidecar is a lightweight proxy deployed alongside the resolve satellite /resolve satellite md that enables security and redaction, beyond the redaction available by default in the resolve ai web app the sidecar works by resolving kubernetes secrets in http headers before requests hit your services redacting sensitive information from api responses before they reach clients audit and customize of redaction logic directly in the source code (contact us to request access to the repository) how it works 1\ secret resolution for advanced protection of api keys, configure secrets on the satelliteconfig using placeholders like $ load api key configuration update the resolve satellite /resolve satellite md values file with secret references in the form of $ load \<secret name> set the url of the sidecar as the proxy url (using http api client proxy url ) request flow the satellite forwards the request to the security sidecar proxy (using http api client proxy url ) the security sidecar detects headers with the $ load prefix the sidecar resolves these references by looking up the secret value from either an environment variable with the same name as \<secret name> a mounted kubernetes secret at the configured mount path (defaults to /etc/secrets/\<secret name> ) the sidecar forwards the request with the resolved headers to the actual service 2\ response redaction redacts sensitive data (e g , credit cards, emails, ssns) in api responses configured via enable redaction env var (default true ) sidecar installation contact support\@resolve ai mailto\ support\@resolve ai to request access to the sidecar repository