Security Architecture
Shield is designed with security-first principles. It never stores your secrets — it only protects them in transit through your build logs.Zero Storage Architecture
Shield doesn’t store secrets. It operates purely as a runtime protection layer:Provider Security
Secrets are pulled from your existing providers and processed in-memory only:| Provider | Source | Storage |
|---|---|---|
.env files | Your repository | You control |
| AWS Secrets Manager | AWS infrastructure | AWS manages |
| Environment variables | CI/CD platform | Platform manages |
Cloud Features Security
When using cloud analytics (afterdotset link):
- What we store: Protection event metadata (counts, timestamps, patterns)
- What we don’t store: Your actual secret values
- Transport: TLS 1.3
- Infrastructure: SOC 2 compliant providers
Threat Model
Shield protects against:| Threat | Protection |
|---|---|
| Log exposure | Real-time streaming redaction |
| Split-chunk secrets | Line-buffered detection |
| Pattern detection | Regex + exact value matching |
| CI log scraping | Secrets redacted before logging |
Runtime Guarantees
- In-memory only — Secret values never written to disk by Shield
- Process isolation — Secrets scoped to child process environment
- Stream interception — stdout/stderr monitored before output
- Line buffering — Handles secrets split across chunks
Best Practices
- Use your existing secrets infrastructure (CI secrets, AWS SM, etc.)
- Run Shield in
redactmode in production CI - Use
detectmode for auditing existing pipelines - Link to cloud for analytics and alerting