Log Engine is built with security as a core principle. This document outlines our security policies, practices, and how to report vulnerabilities.
- PII Protection: Automatically redacts passwords, API keys, emails, and other sensitive data
- Custom Patterns: Support for custom regex patterns to match organization-specific sensitive data
- Runtime Configuration: Dynamic field management with environment-based configuration
- Zero-Config Security: Secure by default with no configuration required
The project includes comprehensive security scanning tools:
# Run security-focused linting
yarn lint:security
# Run dependency vulnerability scanning (requires Snyk account)
yarn secure:test
# Run code security analysis (requires Snyk account)
yarn secure:code
# Run complete security checks
yarn secureFor Developers:
- Use
LogEngine.testFieldRedaction('fieldName')to verify redaction rules - Leverage
LogEngine.withoutRedaction()only in development environments - Review logs regularly to ensure sensitive data isn't being exposed
- Use environment-based configuration to disable redaction only in development
For Production:
- Never disable redaction in production environments
- Regularly audit custom redaction patterns
- Monitor log outputs for potential data leaks
- Use secure transport when sending logs to external systems
| Version | Supported | Security Updates |
|---|---|---|
| 2.1.x | β Yes | β Active |
| 2.0.x | β Yes | β Active |
| < 2.0 | β No | β None |
If you discover a security vulnerability, please follow responsible disclosure practices:
For critical security issues that could compromise user data or system security:
π§ Email: [email protected]
- Response within 24 hours
- Initial assessment within 48 hours
- Security patches prioritized
For general security improvements or non-critical issues:
- Create a private security advisory on GitHub
- Or email [email protected]
- Response within 72 hours
When reporting a vulnerability, please include:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and affected versions
- Suggested fix (if you have one)
- Your contact information for follow-up
- Acknowledgment within 24-72 hours
- Regular updates on investigation progress
- Credit in security advisories (if desired)
- Coordinated disclosure timeline discussion
Primary Security Contact: [email protected] Backup Contact: [email protected]
Your efforts to help maintain the security and integrity of Log Engine are greatly appreciated. Thank you for contributing to a safer open-source community!
π with β€οΈ by Waren Gonzaga under WG Technology Labs and Him π