Why Secret Redaction Matters

When sending code to AI services for analysis, you need to ensure that sensitive information like API keys, passwords, tokens, and other secrets don't accidentally get exposed. Even with trusted providers, it's a best practice to redact sensitive data before analysis. AI Diff Review's secret redaction system makes this easy and automatic.

How Secret Redaction Works

Before sending code to an AI provider, AI Diff Review scans your code for patterns that match known secret formats. When a match is found, the sensitive value is replaced with [REDACTED], ensuring that the actual secret never leaves your machine (for local providers) or is never sent to the cloud (for cloud providers).

The redaction happens automatically and transparently—you don't need to manually mark secrets or remember to remove them. The plugin handles it all for you.

Built-in Patterns

AI Diff Review comes with built-in patterns for common secret types:

  • OpenAI API keys: Matches sk- prefixed keys
  • GitHub tokens: Matches ghp_, gho_, and similar patterns
  • AWS credentials: Matches AKIA access keys and secret keys
  • Generic key-value pairs: Matches patterns like API_KEY=, SECRET=, etc.
  • Common token formats: JWT tokens, OAuth tokens, and similar

These default patterns cover the most common secret types, but you can customize them to match your specific needs.

Configuring Redaction Scope

You can control where secret redaction is applied:

Diffs Only

Redact secrets only in the unified diffs that show what changed. This is useful if you're confident that full file content doesn't contain secrets, or if you're only concerned about newly added secrets.

Full Content

Redact secrets in the complete file content when it's included in the analysis. This provides maximum protection but may reduce analysis quality if the AI can't see the full context.

Both

Redact secrets in both diffs and full content. This is the most secure option and is recommended for most use cases.

Custom Redaction Patterns

While the built-in patterns cover common cases, you'll likely need to add custom patterns for your specific codebase. AI Diff Review makes this easy through the settings panel.

Adding Patterns

To add a custom pattern:

  1. Go to Settings → Tools → AI Diff Review
  2. Navigate to the Secret Redaction section
  3. Click "Add Pattern"
  4. Enter your regex pattern
  5. The pattern is validated immediately—invalid patterns are rejected with an error message

Pattern Format

Patterns use regular expressions (regex), giving you powerful matching capabilities. For example:

  • API_KEY\s*=\s*['"]?[A-Za-z0-9]{32}['"]? - Matches API keys in various formats
  • password\s*[:=]\s*['"]?[^'"]+['"]? - Matches password assignments
  • secret[_-]?key\s*[:=]\s*['"]?[^'"]+['"]? - Matches secret key variables

Pattern Management

You can:

  • View all patterns (built-in and custom)
  • Edit existing custom patterns
  • Remove custom patterns
  • Reorder patterns (they're applied top-down)
  • Import/export pattern sets (one regex per line)

Pattern reordering is important because redaction happens in order. If you have overlapping patterns, the first match wins. This allows you to create more specific patterns that take precedence over general ones.

Import and Export

If you have multiple team members or want to share patterns across projects, you can export your pattern set to a text file (one regex per line) and import it on other machines. This ensures consistent redaction across your team.

Validation

Each pattern is validated when you add or edit it. Invalid regex patterns are rejected immediately with an inline error message explaining what's wrong. This prevents you from saving patterns that won't work, saving you time and frustration.

Best Practices

Start with Defaults

Begin with the built-in patterns and only add custom ones as needed. The defaults cover most common cases and are well-tested.

Test Your Patterns

After adding a custom pattern, test it with a sample commit to ensure it matches what you expect. You can see what gets redacted in the request preview (if enabled).

Be Specific

More specific patterns are better than overly broad ones. A pattern that matches everything will redact too much, reducing analysis quality.

Order Matters

Place more specific patterns before general ones. This ensures that specific cases are handled correctly before falling back to general patterns.

Review Regularly

Periodically review your patterns to ensure they're still relevant and not causing false positives or missing new secret types.

Privacy Considerations

Even with secret redaction, remember:

  • With local providers (Ollama/LM Studio), your code never leaves your machine, so redaction is an extra safety measure
  • With cloud providers, redaction is essential—always enable it and review your patterns
  • Redaction is not perfect—complex obfuscated secrets might not match patterns
  • When in doubt, use local providers for highly sensitive code

Conclusion

Secret redaction is a critical security feature that protects your sensitive data during AI analysis. By configuring appropriate patterns and scope, you can ensure that secrets never accidentally get exposed while still benefiting from comprehensive code analysis.

The combination of built-in patterns and customizable regex support gives you the flexibility to protect your specific secret formats while maintaining ease of use. Regular review and testing of your patterns ensures ongoing protection as your codebase evolves.

Remember: security is a process, not a one-time setup. Regularly review and update your redaction patterns to keep your secrets safe.

Ready to secure your code analysis? Install AI Diff Review and configure your secret redaction patterns today.