The Microsoft.Extensions.Compliance.Abstractions and Microsoft.Extensions.Compliance.Redaction package make it easy for a developer to log structured data in a compliant manner. LoggerMessage, TagProvider, etc.
This still leaves a great many gaps that are easy for a developer to trip over:
- A legacy codebase might still rely on interpolated strings for logging.
- Someone used Don't Repeat Yourself to allocate a string containing sensitive data so they can write to both an audit trail but also to a telemetry stream.
- A service logs HTTP requests/responses. Most of these may be safely logged; some contain sensitive data.
Is there an appetite for a Redaction.Analyzer package to help catch these sorts of issues?
I've played around with a local implementation using a form of taint analysis, and while I have much use for such a thing, I'm wondering if this is a thing suitable for dotnet/extensions.
The Microsoft.Extensions.Compliance.Abstractions and Microsoft.Extensions.Compliance.Redaction package make it easy for a developer to log structured data in a compliant manner. LoggerMessage, TagProvider, etc.
This still leaves a great many gaps that are easy for a developer to trip over:
Is there an appetite for a Redaction.Analyzer package to help catch these sorts of issues?
I've played around with a local implementation using a form of taint analysis, and while I have much use for such a thing, I'm wondering if this is a thing suitable for dotnet/extensions.