Skip to main content
Browse docs
By Audience
Getting Started
Configuration
Use Cases
IDE Integration
Third-Party Integrations
Engineering Cache
Console
API Reference
Gateway
Workflow Guides
Templates
Providers and SDKs
Industry Guides
Advanced Guides
Browse by Role
Deployment Guides
In-Depth Guides
Tutorials
CLI Reference
Policy Reference
OverviewDeclarative Config Reference
Config Deep Dives
Config ProvidersConfig Rate LimitsConfig Routes And ConsumersConfig Quality AssertionsConfig ObservabilityConfig Security NetworkConfig RuntimeConfig TestingConfig Conditional ChainsConfig ScenariosConfig Pack MetadataConfig Execution TargetsConfig Cloud ProvidersConfig Escalation RoutingConfig Data PoliciesConfig Per Policy CatalogConfig Env VariablesConfig Advanced ProviderConfig Compliance PoliciesConfig Single Policy DocsConfig Flagged Review
Policy Controls Catalog
Input Policies
Output Policies
Quality ScorerHuman OversightCitation VerifierFinancial ComplianceHealthcare ComplianceBias MonitorCode Sanitation
Agent Policies
Audit & Compliance
Privacy & Legal
Content & Document Processing
FAQ

Code Sanitation

The code-sanitation policy scans AI-generated code for security vulnerabilities, credential leaks, and unsafe patterns before delivering responses to users. It provides defense-in-depth for developer-facing AI tools by catching dangerous code patterns that could introduce vulnerabilities into your codebase if accepted without review.

Use this page when

  • You need the exact command, config, API, or integration details for Code Sanitation.
  • You are wiring automation or AI retrieval and need canonical names, examples, and constraints.
  • If you want a guided rollout instead of a reference page, use the linked workflow pages in Next steps.

Primary audience

  • Primary: AI Agents, Technical Engineers
  • Secondary: Technical Leaders

Configuration

pack:
  name: code-sanitation
  version: "1.0.0"
  enabled: true

policies:
  chain:
    - code-sanitizer

policy:
  code-sanitizer:
    enabled: true
    block_on_match: false
    additional_patterns:
      - "AKIA[0-9A-Z]{16}"
      - "(?i)password\\s*=\\s*['\"][^'\"]+['\"]"

Fields

FieldTypeDescriptionDefault
enabledbooleanMaster toggle for code sanitation scanning. When false, the policy is completely bypassed and no scanning occurs. Useful for temporarily disabling scanning without removing the policy from your configuration.true
block_on_matchbooleanControls the response behavior when a pattern match is found. When true, the entire response is blocked and a policy violation is returned to the caller. When false, matched patterns are redacted (replaced with [REDACTED]) and the sanitized response is delivered to the user.false
additional_patternsstring[]Custom regex patterns to detect beyond the built-in rules. Each pattern is compiled as a regular expression and applied to all code blocks in the response. Use this to add organization-specific detection rules for internal secret formats, proprietary API key patterns, or custom vulnerability signatures.[]

Built-in Detection Patterns

The following patterns are always active when enabled is true. They cannot be individually disabled.

CategoryWhat It Detects
Hardcoded credentials and API keysAWS access keys (AKIA...), GCP service account keys, Azure connection strings, generic API key assignments, bearer tokens, private key blocks (RSA, EC, DSA), and common secret variable assignments.
SQL injection vectorsString-concatenated SQL queries, unsanitized user input in SQL statements, dynamic table/column names from user input, and raw query execution with interpolated variables.
OS command injection patternsCalls to os.system(), subprocess.call() with shell=True, backtick execution, exec(), eval(), and Runtime.getRuntime().exec() with unsanitized arguments.
Path traversal sequences../ directory traversal, absolute path access from user input, and unsanitized file path construction using request parameters.
Unsafe deserialization callspickle.loads(), yaml.load() without SafeLoader, Java ObjectInputStream.readObject(), Marshal.load() in Ruby, and unserialize() in PHP with untrusted input.
Cross-site scripting payloadsInline <script> tags, event handler attributes (onclick, onerror), javascript: protocol URIs, and innerHTML assignments with unsanitized content.

Use Cases

Developer Copilot — Sanitize Output

Scan all AI-generated code suggestions before they reach developers. Matched patterns are redacted rather than blocked so developers still receive useful output with dangerous fragments removed.

pack:
  name: code-sanitation
  version: "1.0.0"
  enabled: true

policies:
  chain:
    - code-sanitizer

policy:
  code-sanitizer:
    enabled: true
    block_on_match: false
    additional_patterns: []

Code Review AI — Block Unsafe Suggestions

For an AI-powered code review tool, block any response that contains a detected vulnerability. This prevents the AI from suggesting insecure code patterns that a reviewer might approve without noticing.

pack:
  name: code-sanitation
  version: "1.0.0"
  enabled: true

policies:
  chain:
    - code-sanitizer

policy:
  code-sanitizer:
    enabled: true
    block_on_match: true
    additional_patterns: []

Block Code With Embedded Secrets — Org-Specific Patterns

Add custom patterns to detect your organization's internal secret formats alongside the built-in rules. This example detects internal API keys, database connection strings with embedded credentials, and a proprietary token format.

pack:
  name: code-sanitation
  version: "1.0.0"
  enabled: true

policies:
  chain:
    - code-sanitizer

policy:
  code-sanitizer:
    enabled: true
    block_on_match: true
    additional_patterns:
      - "AKIA[0-9A-Z]{16}"
      - "(?i)mongodb(\\+srv)?://[^:]+:[^@]+@"
      - "(?i)internal[-_]api[-_]key\\s*[:=]\\s*['\"][^'\"]{20,}['\"]"
      - "xkt_[a-zA-Z0-9]{32,}"

Combined With Tool Security for Agent Code Execution

When AI agents generate and execute code, apply code sanitation as a pre-execution filter. Use block_on_match: true to prevent any code with detected vulnerabilities from being executed by the agent runtime.

pack:
  name: code-sanitation
  version: "1.0.0"
  enabled: true

policies:
  chain:
    - code-sanitizer

policy:
  code-sanitizer:
    enabled: true
    block_on_match: true
    additional_patterns:
      - "(?i)(rm\\s+-rf|del\\s+/[sqf]|format\\s+[a-z]:)"
      - "(?i)(curl|wget|fetch)\\s+.*\\|\\s*(bash|sh|zsh)"
      - "(?i)chmod\\s+777"

How It Works

  1. Code block extraction — When a response is received from the upstream AI model, Keeptrusts extracts all code blocks from the response. This includes fenced code blocks (```...```), inline code, and content that appears to be code based on structural analysis.

  2. Built-in pattern scanning — Each extracted code block is scanned against the full set of built-in detection patterns. The scanner runs all categories in parallel for performance.

  3. Custom pattern scanning — If additional_patterns is configured, each custom regex is compiled and applied to the same code blocks. Custom patterns run after built-in patterns, and all matches are collected.

  4. Match aggregation — All matches from both built-in and custom patterns are aggregated with their category, matched text, and position within the response.

  5. Action execution — If block_on_match is true and any match was found, the entire response is rejected with a policy violation that lists the detected categories (but not the matched content itself, to avoid leaking sensitive data in error messages). If block_on_match is false, each matched segment is replaced with [REDACTED] and the sanitized response is delivered.

  6. Event logging — Every scan result — whether clean, redacted, or blocked — is logged as a structured event in the Keeptrusts event stream. Events include the detected categories, match count, and action taken, but never the raw matched content.

Combining With Other Policies

With content-filter — Content filtering catches broad safety violations in prose text, while code sanitation focuses specifically on executable code patterns. Use both for AI assistants that generate mixed prose and code output.

With pii-filter — PII filtering catches personal data in natural language, while code sanitation catches credentials and secrets in code. Together they provide comprehensive data leakage prevention across both content types.

With human-oversight — For high-stakes code generation (infrastructure-as-code, database migrations), add human oversight to review sanitized code before it reaches production. Code sanitation catches the obvious patterns; human review catches logic errors and architectural concerns.

With rate-limiter — Rate limiting prevents attackers from probing the sanitation rules through rapid requests designed to reverse-engineer pattern boundaries.

Best Practices

  • Start with block_on_match: false (redact mode) to understand what the scanner catches in your specific use case before switching to blocking mode. Review the redacted events in the Keeptrusts dashboard to assess precision.

  • Keep custom patterns focused and tested. Overly broad regex patterns can cause false positives that degrade the AI assistant's usefulness. Test each custom pattern against a representative sample of your AI's output before deploying.

  • Use block_on_match: true for agent code execution. When AI-generated code will be executed automatically (not just displayed to a developer), blocking is the safer default. A redacted code snippet will likely fail to execute in confusing ways.

  • Layer code sanitation with code review processes. Automated pattern matching catches known-bad patterns but cannot reason about business logic vulnerabilities, race conditions, or architectural flaws. Treat code sanitation as one layer of defense, not a complete solution.

  • Monitor false positive rates by reviewing blocked or redacted events regularly. If legitimate code patterns are being caught (e.g., documentation examples that mention eval() in a "don't do this" context), consider whether custom exclusion logic or a different block_on_match setting is appropriate.

  • Update additional_patterns as your secret formats evolve. When your organization rotates to a new API key format or introduces a new internal credential pattern, add detection patterns proactively.

  • Be cautious with regex complexity. Very complex regular expressions with excessive backtracking can impact response latency. Keep patterns as simple as possible while still matching the target content accurately.

For AI systems

  • Canonical terms: Keeptrusts, code-sanitation / code-sanitizer, policy-config.yaml, enabled, block_on_match, additional_patterns, built-in detection (credentials, SQL injection, OS command injection, path traversal, unsafe deserialization, XSS).
  • Output-phase policy: scans AI-generated code in responses before delivery.
  • Best next pages: Agent Firewall policy, PII Detector policy, Per-Policy Configuration Catalog.

For engineers

  • Start with block_on_match: false (redact mode) to understand detection patterns before switching to blocking.
  • Use block_on_match: true when AI-generated code will be executed automatically (agent code execution, CI pipelines).
  • Add organization-specific patterns to additional_patterns for internal secret formats (e.g., xkt_[a-zA-Z0-9]{32,}).
  • Avoid overly complex regex patterns that cause excessive backtracking and impact response latency.
  • Monitor redacted/blocked events in the dashboard to assess false-positive rates and tune patterns.

For leaders

  • Code sanitation prevents AI code suggestions from introducing security vulnerabilities (credential leaks, injection vectors, unsafe deserialization) into your codebase.
  • Redact mode lets developers receive useful output with dangerous fragments removed; block mode stops unsafe code entirely.
  • Built-in detection covers OWASP Top 10 code patterns without custom configuration.
  • Adding custom patterns ensures detection of organization-specific secret formats as they evolve.
  • Pair with human code review processes — automated scanning catches known-bad patterns but cannot reason about business logic vulnerabilities.

Next steps