While predefined data masking entities (e.g., credit card numbers, SSNs) cover many standard use cases, you may need to define custom rules for domain-specific data or unique patterns. Custom rules give you fine-grained control over exactly which information is masked and how it is replaced.

What Are Custom Rules?

Custom rules specify either a keyword or regex pattern to match sensitive data. When the plugin encounters a match, it replaces the sensitive text with a placeholder (e.g., [MASKED_SECRET]). This mechanism ensures your logs, debugging outputs, or API responses never contain the actual sensitive values.

Example: Custom Regex & Keyword

Below is a minimal configuration snippet showing two custom rules:
  • A regex rule to mask any standalone 6-digit code with [MASKED_PIN].
  • A keyword rule to identify the string internal-secret and replace it with [MASKED_SECRET].
{
  "name": "data_masking",
  "enabled": true,
  "settings": {
    "apply_all": false,
    "rules": [
      {
        "type": "regex",
        "pattern": "\\b\\d{6}\\b",
        "mask_with": "[MASKED_PIN]"
      },
      {
        "type": "keyword",
        "pattern": "internal-secret",
        "mask_with": "[MASKED_SECRET]"
      }
    ]
  }
}

Combined Configuration

{
  "name": "data_masking",
  "enabled": true,
  "settings": {
    "apply_all": false,
    "predefined_entities": [
      {
        "entity": "credit_card",
        "enabled": true
      },
      {
        "entity": "ssn",
        "enabled": true
      }
    ],
    "rules": [
      {
        "type": "regex",
        "pattern": "custom-[A-Z]{3}\\d{4}",
        "mask_with": "[MASKED_CUSTOM]"
      }
    ],
    "similarity_threshold": 0.8,
    "max_edit_distance": 1
  }
}