February 3, 2026
Scrub‑a‑dub logs drama!
Show HN: PII-Shield – Log Sanitization Sidecar with JSON Integrity (Go, Entropy)
Dev tool scrubs secrets from logs; fans cheer speed while skeptics fear lost UUIDs
TLDR: PII‑Shield promises fast, no-code log sanitizing that replaces secrets with hashes to prevent leaks. Commenters love the speed but debate whether it will also hide useful IDs like UUIDs and question the name’s focus, while the maintainer urges tuning the threshold for different cases.
PII‑Shield lands as the no-code bodyguard for your logs, promising to zap secrets before they leak from your app. It sits beside your app in Kubernetes, scans messages for high-entropy “this-looks-like-a-secret” strings, and swaps them for hashed tags so teams can still trace issues without seeing raw data. The big flex? A claim of “100% accuracy” across messy, multilingual logs—and it’s written in Go for speed.
Cue the comment drama. The dev behind it, aragoss, jumps in with a PSA: the default “secret detector” threshold is tuned for API keys, so your cute test words won’t trigger it—tweak the setting if you need. That calmed some testers, but a top question lit up the thread: will it nuke UUIDs (those long unique IDs many teams rely on)? One commenter pressed that worry hard, and another pointed out the name “PII‑Shield” sounds like it blocks personal info like names, not just secrets. Identity crisis, anyone?
Still, vibes weren’t all fret and fear. Early adopters said they showed it to coworkers who thought it was cool, with a few “log janitor” jokes and applause for the drop-in sidecar pattern. Some side-eye at the bold “100%” claim, but the quick-start demo and Docker image had folks pulling it fast. The hottest take: keep the UUIDs, keep the speed, keep the sanity—just don’t over-sanitize.
Key Points
- •PII-Shield is a zero-code log sanitization sidecar for Kubernetes that redacts sensitive data before logs leave a pod.
- •The tool is written in Go and uses context-aware entropy analysis to detect secrets even without explicit keys.
- •Detected secrets are replaced with deterministic hashes, enabling error correlation without exposing raw data.
- •Installation includes a Docker-based CLI quick start and a Kubernetes sidecar pattern using an initContainer and shared volume.
- •Verification includes unit tests, native Go fuzzing, stress testing claiming 100% detection accuracy, and the project is licensed under Apache 2.0.