I built LogShield as an experiment in deterministic log sanitization. I wanted to see whether a purely rule-based approach could reliably remove secrets from logs without breaking structure or causing false positives.

LogShield is a small open-source CLI designed to work as a drop-in filter in pipelines:

- Reads from stdin, writes sanitized logs to stdout

- Explicit, inspectable rules (no probabilistic or ML-based masking)

- Same input → same output, every time

- Focused on avoiding false positives that break debugging

Typical use cases I had in mind:

- Sharing logs in issues, Slack, or support tickets

- CI/CD pipelines before uploading artifacts

- Log shipping to third-party services

Example:

cat app.log | logshield scan --strict > safe.log

The rule set is intentionally conservative and fully inspectable. I’m especially interested in feedback on:

Rule coverage vs. false-positive risk

Edge cases where this approach would fail or be unsafe

Situations where you would not trust a tool like this in your workflow

Repo: https://github.com/afria85/LogShield

Thanks for taking a look.