Sensitive Data Detection
ops0 integrates with Microsoft Presidio to automatically detect personally identifiable information (PII) and other sensitive data in your infrastructure configurations. This helps prevent accidental exposure of sensitive data in IaC code, configuration files, and discovered resources.
What Gets Scanned
| Source | Description |
|---|---|
| IaC Code | Terraform files, variable values, and outputs |
| Configuration Files | Ansible playbooks, Kubernetes manifests |
| Discovered Resources | Tags, metadata, and configuration data from cloud scans |
| Environment Variables | Values passed to deployments |
Detected Data Types
Presidio can identify a wide range of sensitive data patterns:
| Category | Examples |
|---|---|
| Personal Information | Names, email addresses, phone numbers |
| Financial | Credit card numbers, bank account numbers, IBAN |
| Government IDs | Social security numbers, passport numbers, driver's license |
| Healthcare | Medical record numbers |
| Network | IP addresses, URLs with credentials |
| Authentication | API keys, passwords, tokens |
How It Works
Automatic Scanning
When you create or modify IaC code, ops0 sends the content to the Presidio analyzer for PII detection.
Detection Results
Presidio returns any detected sensitive data entities with confidence scores and entity types.
Alerts
If sensitive data is detected, ops0 flags the affected files and shows a warning before deployment.
Remediation
You can replace hardcoded sensitive values with variable references, vault lookups, or environment variables.
Confidence Scores
| Score | Meaning |
|---|---|
| High (0.8-1.0) | Strong pattern match, very likely sensitive data |
| Medium (0.5-0.79) | Possible sensitive data, review recommended |
| Low (0.0-0.49) | Weak match, likely a false positive |
Integration with Policies
Sensitive data detection works alongside ops0's policy engine. You can create policies that block deployments containing detected PII, or set them to warn-only mode for less critical environments.