Gatekeeper inqaba-security/gatekeeper
v1.x

Privacy & Redaction

Security telemetry is only useful if you can keep it — and keeping it means being deliberate about what personal data leaves your application. Every event passes through the redactor before shipping.

Key-based redaction#

Context keys matching the privacy.redact_keys list (case-insensitive, recursive through nested arrays) are replaced with [REDACTED]:

'redact_keys' => [
    'password', 'password_confirmation', 'current_password', 'secret',
    'token', 'api_key', 'authorization', 'credit_card', 'cvv', 'ssn',
],

So this:

Siem::log('payment_failed', 'Charge declined', Severity::Medium, [
    'amount' => 4900,
    'card' => ['credit_card' => '4111111111111111', 'last4' => '1111'],
]);

ships as:

{
    "laravel": {
        "context": {
            "amount": 4900,
            "card": { "credit_card": "[REDACTED]", "last4": "1111" }
        }
    }
}

Passwords are also structurally excluded at the source: the failed-login listener strips the password key from attempted credentials before it ever builds the event.

Username pseudonymization#

With SIEM_HASH_USERNAMES=true, user.name ships as a salted-free sha256 hash:

{ "user": { "id": "7", "name": "sha256:ff8d9819fc0e12bf0d24892e45987e249a28dce836a85cad60e28eaaa8c6d976" } }

Analysts can still correlate ("the same account failed to log in from 3 countries") without the SIEM storing raw email addresses. The hash is deterministic (lowercased, trimmed input), so the same identifier always produces the same value across events.

user.id is always shipped as-is — it's the stable join key back to your database when an investigation needs to identify the account through proper channels.

What Gatekeeper never collects#

  • Request bodies are not shipped by default (privacy.include_request_body is false).
  • The threat scanner reports which input key matched which rule — not the offending value itself.
  • Passwords and any redact-listed key never leave the application in any code path.

GDPR / POPIA considerations#

  • IP addresses are personal data in most jurisdictions. Gatekeeper ships them (they're the core security signal), so cover SIEM storage in your retention policy and processing records. Sentinel and Wazuh both support table/index-level retention.
  • Combine hash_usernames with your SIEM's retention controls for a defensible position: short-lived raw IPs, pseudonymous identifiers, and a documented security-interest lawful basis.
  • The never_block list prevents your own infrastructure from appearing in blocklists, but its events still ship — filter office IPs SOC-side if policy requires it.