Cloud Redaction Policies
Glubean redacts sensitive data before results leave your machine. The CLI applies redaction rules from your project config during upload. See CLI Redaction for the local rules.
Cloud adds a team-facing control surface on top of that local behavior.
Two layers of redaction
Redaction runs in two places, configured independently:
| Layer | Configured in | Controls |
|---|---|---|
| Local (before upload) | defaults.redaction in glubean.yaml | Extra sensitiveKeys, customPatterns, and replacementFormat. Applied on profile runs (see caveat below). |
| Server baseline (at ingestion) | Built-in (not configurable for CLI uploads) | A fixed baseline re-applied when results are ingested, as a safety net. |
Author your local rules by hand in glubean.yaml under defaults.redaction.
On ingestion the server re-applies a fixed built-in baseline (it does not
load your team dashboard policy for CLI runs), so don’t rely on dashboard
toggles to catch a value you didn’t also cover locally. defaults.redaction is
additive — it can only add keys/patterns, never disable a built-in scope.
Apply custom redaction via a profile.
defaults.redactionis applied when you run a profile —glubean run --profile <name>orglubean ci run. An ad-hoc run with an explicit target (e.g.glubean run tests/ --upload) does not resolve a profile and uploads with the built-in baseline only, so your project-specificsensitiveKeys/customPatternsare skipped. To apply them before upload, run through a profile.
See CLI Redaction for the local rules.
Configuring rules in Cloud
Go to Team → Redaction in the Cloud dashboard.
Scopes
Scopes control which data areas are scanned for sensitive values. Each scope targets a specific field in a specific event type.
HTTP scopes:
| Scope | What it covers |
|---|---|
| HTTP Request Headers | Authorization, cookies, API keys |
| HTTP Request Query | URL query parameters |
| HTTP Request Body | POST/PUT/PATCH body content |
| HTTP Response Headers | Set-Cookie headers |
| HTTP Response Body | Response body content |
General scopes:
| Scope | What it covers |
|---|---|
| Log Messages | ctx.log() message strings |
| Log Data | ctx.log() data objects |
| Error Messages | Test failure messages |
| Error Stack Traces | Stack traces |
| Assertion Messages | Assertion failure text |
| Assertion Values | Actual/expected values |
| Warning Messages | Warning text |
| Step Return State | Step return values |
Each scope can be individually enabled or disabled. Disabled scopes skip redaction entirely for that field.
Plugins like @glubean/grpc add their own scopes (gRPC metadata, request, response) automatically.
Global Sensitive Keys
Add additional keys that should be treated as sensitive across all scopes. These are additive — built-in scope-specific keys (like authorization in request headers, password in request bodies) are always active.
Value Patterns
Built-in patterns detect common secret formats in string values:
| Pattern | Example | Default |
|---|---|---|
| JWT Tokens | eyJhbGci... | On |
| Bearer Tokens | Bearer sk-... | On |
| AWS Keys | AKIA... | On |
| GitHub Tokens | ghp_..., gho_... | On |
| Credit Cards | 16-digit numbers | On |
| Email Addresses | user@example.com | Off |
| IP Addresses | 192.168.1.1 | Off |
| Hex Keys | 32+ char hex strings | Off |
Toggle each pattern on/off. You can also add custom regex patterns with a name and regex.
Replacement Format
Choose how redacted values appear:
| Format | Example |
|---|---|
| Simple | [REDACTED] |
| Labeled | [REDACTED:jwt] — includes which rule matched |
| Partial | sk_li***_4xN — preserves prefix/suffix hints for debugging (default) |
Local Config Format
The CLI reads redaction rules from defaults.redaction in glubean.yaml:
defaults:
redaction:
sensitiveKeys: [x-custom-secret, internal-token]
customPatterns:
- { name: stripe_key, regex: "sk_live_\\w+" }
- { name: internal_id, regex: "int_[a-f0-9]{32}" }
replacementFormat: labeledThe built-in baseline (scope-specific sensitive keys + 5 default patterns) is always active and cannot be weakened. Your config can only add rules on top.
Preview before uploading
Use glubean redact to see exactly what will be masked without uploading:
glubean redact .glubean/last-run.result.jsonThis uses partial masking in the console so you can verify which values are caught. See CLI Redaction for details.
Server-side redaction
Cloud applies baseline redaction server-side at ingestion time as a safety net. Even if the CLI skips or misconfigures redaction, the server will catch common secrets before persisting events.
For CLI uploads, redaction happens locally first. Server-side redaction is idempotent — already-redacted values pass through unchanged.