DLP Filter
The dlp-filter policy evaluates request content against your configured detect_patterns and blocked_terms. It can either block the request or return a redact verdict. By default it runs in the input phase; if you need response filtering, attach it to a response stage with conditional chain metadata.
Configuration
pack:
name: dlp-filter-example
version: 1.0.0
enabled: true
policies:
chain:
- dlp-filter
policy:
dlp-filter:
detect_patterns:
- 'AKIA[0-9A-Z]{16}'
- 'ghp_[0-9A-Za-z]{36}'
blocked_terms:
- Project Titan
- internal.acme.corp
action: block
fuzzy_matching: true
max_distance: 2
sensitivity_level: high
Fields
| Field | Type | Description | Default |
|---|---|---|---|
detect_patterns | string[] | Regex patterns evaluated against the joined message content. | [] |
blocked_terms | string[] | Literal terms checked with case-insensitive matching. | [] |
action | redact | block | block stops the request. redact returns a redact verdict so the gateway redaction pass can run. | redact |
fuzzy_matching | boolean | Enable fuzzy matching for near-miss terms and patterns. | false |
max_distance | integer | Maximum edit distance used when fuzzy_matching is enabled. | 1 |
sensitivity_level | standard | high | restricted | high and restricted additionally flag inline classification markers such as top secret, secret, confidential, fouo, noforn, orcon, propin, and rel to. standard does not add this context check. | standard |
What this policy does today
- It does not ship with a built-in library of API-key, SSN, IBAN, MRN, or biometric regexes.
- It only evaluates the patterns and terms you configure, plus the classification-marker context check enabled by
highandrestricted. highandrestrictedcurrently share the same extra context-sensitive marker detection in the gateway.
Use Cases
Secret and codename blocking
pack:
name: secret-leak-guard
version: 1.0.0
enabled: true
policies:
chain:
- dlp-filter
- audit-logger
policy:
dlp-filter:
detect_patterns:
- 'AKIA[0-9A-Z]{16}'
- 'sk-[A-Za-z0-9]{48}'
blocked_terms:
- Project Titan
- jira.acme.corp
action: block
fuzzy_matching: true
max_distance: 1
Redaction verdict for downstream handling
pack:
name: redact-then-log
version: 1.0.0
enabled: true
policies:
chain:
- dlp-filter
- audit-logger
policy:
dlp-filter:
blocked_terms:
- internal use only
- do not distribute
action: redact
Classification-marker detection
pack:
name: classified-routing
version: 1.0.0
enabled: true
policies:
chain:
- dlp-filter
- entity-list-filter
- itar-ear-filter
policy:
dlp-filter:
action: block
sensitivity_level: restricted
How It Works
- Keeptrusts joins the request messages into a single text buffer.
- Each regex in
detect_patternsis evaluated against that content. - Each term in
blocked_termsis checked case-insensitively; whenfuzzy_matchingis enabled, near matches withinmax_distancealso count. - If
sensitivity_levelishighorrestricted, the gateway also checks for the built-in classification markers listed above. - If any check triggers, the policy returns either
blockorredact.
Best Practices
- Use
detect_patternsfor structured secrets andblocked_termsfor organization-specific names. - Prefer
blockwhen you need deterministic enforcement of the matched content. - Keep
max_distancesmall; values above2can create noisy matches. - Add response-stage filtering explicitly with conditional chain metadata instead of assuming it runs on output by default.
Next steps
- PII Detector — Built-in personal-data detection and redaction
- Data Routing Policy — combine content filtering with provider eligibility
- Prompt Injection Detection — Input attack detection