Credentials Scanner (DLP)
The Credentials Scanner is a specialized Data Loss Prevention (DLP) node that specifically targets secrets like API keys, SSH keys, and database passwords to prevent accidental exposure to external AI models.
π‘οΈ Use Case
- Secret Protection: Safeguard your organization's infrastructure by ensuring developers don't accidentally paste cloud credentials or API keys into AI prompts.
- Compliance: Enforce SOC2 and HIPAA requirements regarding secret management.
π Implementation
This auditor uses high-entropy regex patterns to detect various types of secrets.
import re
from lucid_sdk import create_auditor, Deny, Proceed
builder = create_auditor(auditor_id="secret-shield")
# Patterns for common secrets
SECRET_PATTERNS = {
"AWS Key": re.compile(r'AKIA[0-9A-Z]{16}'),
"Slack Token": re.compile(r'xox[bpgr]-[0-9]{12}-[0-9]{12}-[a-zA-Z0-9]{24}'),
"Generic Secret": re.compile(r'(?i)password|secret|key\s*[:=]\s*[a-zA-Z0-9\-_]{20,}')
}
@builder.on_request
def scan_secrets(data: dict):
prompt = data.get("prompt", "")
for name, pattern in SECRET_PATTERNS.items():
if pattern.search(prompt):
# Critical high-risk violation: Block request
return Deny(reason=f"Security Violation: {name} detected in prompt")
return Proceed()
auditor = builder.build()
βΈοΈ Deployment Configuration
chain:
- name: secret-shield
image: "lucid/credentials-scanner:v1"
port: 8087
π Behavior
- Request: A user sends "Here is my cloud config: AWS_KEY=AKIA...".
- Result:
DENY. The Lucid Operator blocks the request and emits a high-priority security alert. - Attestation: The AI Passport will record the specific pattern that was matched (e.g., "AWS Key detected"), providing a verifiable audit trail for security teams.