Skip to main content

DLP Filter

The dlp-filter policy evaluates request content against your configured detect_patterns and blocked_terms. It can either block the request or return a redact verdict. By default it runs in the input phase; if you need response filtering, attach it to a response stage with conditional chain metadata.

Configuration

pack:
name: dlp-filter-example
version: 1.0.0
enabled: true

policies:
chain:
- dlp-filter

policy:
dlp-filter:
detect_patterns:
- 'AKIA[0-9A-Z]{16}'
- 'ghp_[0-9A-Za-z]{36}'
blocked_terms:
- Project Titan
- internal.acme.corp
action: block
fuzzy_matching: true
max_distance: 2
sensitivity_level: high

Fields

FieldTypeDescriptionDefault
detect_patternsstring[]Regex patterns evaluated against the joined message content.[]
blocked_termsstring[]Literal terms checked with case-insensitive matching.[]
actionredact | blockblock stops the request. redact returns a redact verdict so the gateway redaction pass can run.redact
fuzzy_matchingbooleanEnable fuzzy matching for near-miss terms and patterns.false
max_distanceintegerMaximum edit distance used when fuzzy_matching is enabled.1
sensitivity_levelstandard | high | restrictedhigh and restricted additionally flag inline classification markers such as top secret, secret, confidential, fouo, noforn, orcon, propin, and rel to. standard does not add this context check.standard

What this policy does today

  • It does not ship with a built-in library of API-key, SSN, IBAN, MRN, or biometric regexes.
  • It only evaluates the patterns and terms you configure, plus the classification-marker context check enabled by high and restricted.
  • high and restricted currently share the same extra context-sensitive marker detection in the gateway.

Use Cases

Secret and codename blocking

pack:
name: secret-leak-guard
version: 1.0.0
enabled: true

policies:
chain:
- dlp-filter
- audit-logger

policy:
dlp-filter:
detect_patterns:
- 'AKIA[0-9A-Z]{16}'
- 'sk-[A-Za-z0-9]{48}'
blocked_terms:
- Project Titan
- jira.acme.corp
action: block
fuzzy_matching: true
max_distance: 1

Redaction verdict for downstream handling

pack:
name: redact-then-log
version: 1.0.0
enabled: true

policies:
chain:
- dlp-filter
- audit-logger

policy:
dlp-filter:
blocked_terms:
- internal use only
- do not distribute
action: redact

Classification-marker detection

pack:
name: classified-routing
version: 1.0.0
enabled: true

policies:
chain:
- dlp-filter
- entity-list-filter
- itar-ear-filter

policy:
dlp-filter:
action: block
sensitivity_level: restricted

How It Works

  1. Keeptrusts joins the request messages into a single text buffer.
  2. Each regex in detect_patterns is evaluated against that content.
  3. Each term in blocked_terms is checked case-insensitively; when fuzzy_matching is enabled, near matches within max_distance also count.
  4. If sensitivity_level is high or restricted, the gateway also checks for the built-in classification markers listed above.
  5. If any check triggers, the policy returns either block or redact.

Best Practices

  • Use detect_patterns for structured secrets and blocked_terms for organization-specific names.
  • Prefer block when you need deterministic enforcement of the matched content.
  • Keep max_distance small; values above 2 can create noisy matches.
  • Add response-stage filtering explicitly with conditional chain metadata instead of assuming it runs on output by default.

Next steps