# PII-Shield > Zero-code Kubernetes sidecar that redacts PII from logs before they leave the pod, ensuring GDPR/SOC2 compliance without any code changes. PII-Shield is an open-source, zero-code log sanitization sidecar for Kubernetes that intercepts and redacts sensitive data from logs before they leave the pod. It uses context-aware entropy analysis and deterministic regex matching to detect and mask PII, secrets, and high-entropy tokens in real time. Built in Go for ultra-low memory usage and zero-GC overhead on hot paths, it supports both a Kubernetes Operator deployment model and an in-process WASM integration for sub-millisecond latency. - **Kubernetes Operator (Zero-code)**: *Deploy via Helm to automatically inject a distroless sidecar into your pods — no Dockerfile or application code changes required.* - **In-Process WASM**: *Embed the core engine directly into Node.js or Python agents for `<1ms` latency without network hops.* - **Context-Aware Entropy Analysis**: *Detects high-entropy secrets even without explicit keys by analyzing surrounding context keywords.* - **Custom Regex Rules**: *Define deterministic redaction patterns for structured data (UUIDs, IDs) via `PII_CUSTOM_REGEX_LIST` to guarantee 100% compliance.* - **Deterministic Hashing**: *Replaces secrets with unique hashes (e.g., `[HIDDEN:a1b2c]`) so QA teams can correlate errors without accessing raw sensitive data.* - **Whitelist Support**: *Use `PII_SAFE_REGEX_LIST` to explicitly allow safe patterns like git hashes or system IDs, preventing false positives.* - **High Throughput**: *Processes text logs at >100k lines/s and JSON logs at ~7MB/s using zero-allocation manual parsing.* - **Drop-in Compatibility**: *Works with any application language — Node.js, Python, Java, Go — with no code changes.* - **Comprehensive Testing**: *Verified with unit tests (>85% coverage), native Go fuzzing, smoke tests, and full end-to-end E2E tests using Minikube and Helm.* - **GDPR/SOC2 Ready**: *Prevents PII from reaching log aggregators, AI training datasets, or downstream systems, reducing compliance risk.* ## Features - Zero-code sidecar injection via Kubernetes Operator - In-process WASM integration for <1ms latency - Context-aware entropy analysis for secret detection - Custom regex rules for deterministic redaction - Deterministic hashing of redacted values - Whitelist support to prevent false positives - Zero-allocation JSON parsing - Distroless sidecar for minimal attack surface - GDPR and SOC2 compliance support - Works with any application language (Node, Python, Java, Go) - Helm chart deployment - Native Sidecar pattern support (K8s 1.28+) ## Integrations Kubernetes, Helm, Docker, Fluentd, Logstash, Node.js, Python, Java, Go, Minikube, GitHub Container Registry, Docker Hub ## Platforms WINDOWS, MACOS, LINUX, API, DEVELOPER_SDK, CLI ## Pricing Open Source ## Version pii-shield-2.0.0 ## Links - Website: https://pii-shield.com/ - Documentation: https://github.com/aragossa/pii-shield/blob/main/CONFIGURATION.md - Repository: https://github.com/aragossa/pii-shield - EveryDev.ai: https://www.everydev.ai/tools/pii-shield