Privacy & Security
The privacy scanner runs automatically before every snapshot export. It detects secrets, PII, and sensitive paths in your modules and gives you control over what to do about them.
How It Works
When you run stato snapshot, the scanner checks all module files in .stato/ against 19 regex patterns across 6 categories. If it finds anything, it shows a summary and asks what to do.
stato snapshot --name "share"Privacy scan found 3 item(s):
api_key (1 found) context.py:8 - API key (OpenAI) sk-abc123... → {API_KEY}
path (2 found) context.py:12 - Home directory path /home/niki/... → /home/{user}/...
Choose action: [s]anitize / [r]eview / [f]orce / [c]ancel: s✓ Secrets sanitized in snapshot (originals unchanged)Interactive Review Gate
When findings are detected, you choose one of four actions:
| Action | Key | What It Does |
|---|---|---|
| Sanitize | s | Replace detected secrets with placeholders in the archive. Originals in .stato/ are unchanged. |
| Review | r | Show full details of every finding, then ask again (sanitize, force, or cancel). |
| Force | f | Export without any sanitization. Use only when you know the findings are false positives. |
| Cancel | c | Abort the snapshot entirely. |
Categories and Patterns
The scanner includes 19 patterns (16 general + 3 bioinformatics-specific) across 6 categories:
| Category | Patterns | Examples |
|---|---|---|
api_key | API key prefixes | sk-, AKIA, AIza |
credential | Database URLs, passwords | postgresql://user:pass@..., password = "..." |
token | Auth tokens, bearer tokens | Bearer eyJ..., ghp_... |
path | Home directories, system paths | /home/user/..., /Users/... |
network | Internal IPs, private URLs | 192.168.x.x, 10.0.x.x |
pii | Email, SSN, patient IDs | user@example.com, MRN-... |
The PII category includes bioinformatics-specific patterns for patient identifiers (MRN, SSN formats) to support clinical research workflows.
CLI Flags
Skip the interactive prompt with flags:
# Auto-sanitize without askingstato snapshot --name "share" --sanitize
# Skip privacy scan entirelystato snapshot --name "internal" --force.statoignore
Create a .statoignore file in your project root to suppress false positives. The file uses pattern matching:
# Ignore specific patternsexample.com192.168.1.1
# Ignore test datatest_datastato init creates a template .statoignore file automatically.
Sanitization Details
When you choose to sanitize:
- Detected secrets are replaced with descriptive placeholders (e.g.,
{API_KEY},/home/{user}/) - Only the archive is sanitized. Your original
.stato/files are never modified. - The replacement placeholders make it clear what was redacted, so the receiving agent still understands the module structure.