PII-Shield

PII-Shield is an open-source, zero-code log sanitization sidecar for Kubernetes that intercepts and redacts sensitive data from logs before they leave the pod. It uses context-aware entropy analysis and deterministic regex matching to detect and mask PII, secrets, and high-entropy tokens in real time. Built in Go for ultra-low memory usage and zero-GC overhead on hot paths, it supports both a Kubernetes Operator deployment model and an in-process WASM integration for sub-millisecond latency.

• Kubernetes Operator (Zero-code): Deploy via Helm to automatically inject a distroless sidecar into your pods — no Dockerfile or application code changes required.
• In-Process WASM: Embed the core engine directly into Node.js or Python agents for <1ms latency without network hops.
• Context-Aware Entropy Analysis: Detects high-entropy secrets even without explicit keys by analyzing surrounding context keywords.
• Custom Regex Rules: Define deterministic redaction patterns for structured data (UUIDs, IDs) via PII_CUSTOM_REGEX_LIST to guarantee 100% compliance.
• Deterministic Hashing: Replaces secrets with unique hashes (e.g., [HIDDEN:a1b2c]) so QA teams can correlate errors without accessing raw sensitive data.
• Whitelist Support: Use PII_SAFE_REGEX_LIST to explicitly allow safe patterns like git hashes or system IDs, preventing false positives.
• High Throughput: Processes text logs at >100k lines/s and JSON logs at ~7MB/s using zero-allocation manual parsing.
• Drop-in Compatibility: Works with any application language — Node.js, Python, Java, Go — with no code changes.
• Comprehensive Testing: Verified with unit tests (>85% coverage), native Go fuzzing, smoke tests, and full end-to-end E2E tests using Minikube and Helm.
• GDPR/SOC2 Ready: Prevents PII from reaching log aggregators, AI training datasets, or downstream systems, reducing compliance risk.