ops0 integrates with Microsoft Presidio to automatically detect personally identifiable information (PII) and other sensitive data in your infrastructure configurations. This helps prevent accidental exposure of sensitive data in IaC code, configuration files, and discovered resources.
| Source | Description |
|---|---|
| IaC Code | Terraform files, variable values, and outputs |
| Configuration Files | Ansible playbooks, Kubernetes manifests |
| Discovered Resources | Tags, metadata, and configuration data from cloud scans |
| Environment Variables | Values passed to deployments |
Presidio can identify a wide range of sensitive data patterns:
| Category | Examples |
|---|---|
| Personal Information | Names, email addresses, phone numbers |
| Financial | Credit card numbers, bank account numbers, IBAN |
| Government IDs | Social security numbers, passport numbers, driver's license |
| Healthcare | Medical record numbers |
| Network | IP addresses, URLs with credentials |
| Authentication | API keys, passwords, tokens |
When you create or modify IaC code, ops0 sends the content to the Presidio analyzer for PII detection.
Presidio returns any detected sensitive data entities with confidence scores and entity types.
If sensitive data is detected, ops0 flags the affected files and shows a warning before deployment.
You can replace hardcoded sensitive values with variable references, vault lookups, or environment variables.
| Score | Meaning |
|---|---|
| High (0.8-1.0) | Strong pattern match, very likely sensitive data |
| Medium (0.5-0.79) | Possible sensitive data, review recommended |
| Low (0.0-0.49) | Weak match, likely a false positive |
Sensitive data detection works alongside ops0's policy engine. You can create policies that block deployments containing detected PII, or set them to warn-only mode for less critical environments.
