Skip to main content
TestDino scans test artifacts for secrets and replaces them with masked values before they appear in the dashboard. This prevents accidental exposure of tokens, passwords, API keys, and credentials during debugging and review.
Data Redaction is an Enterprise plan feature. Contact [email protected] to enable it.

Quick Reference

ItemDescription
Detected PatternsAPI keys, tokens, passwords, connection strings, private keys
Redaction ProcessDetection, scrubbing, backup, and display
ScopeTraces, console output, errors, network logs, attachments
ExclusionsTest titles, file paths, git metadata, timing data

How Redaction Works

1. Detection

When artifacts (traces, logs, console output) are uploaded, the system scans content for patterns matching sensitive information.

Detected Patterns

Pattern TypeExamples
API keyssk_live_*, sk_test_*, api_key_*, AKIA* (AWS)
Authentication tokensBearer tokens, JWT tokens, OAuth access/refresh tokens
PasswordsPassword fields in configuration, connection strings
Environment variablesDATABASE_URL, SECRET_KEY, PRIVATE_KEY, custom secrets
Connection stringsDatabase URIs containing credentials
Private keysRSA/EC private key blocks, PEM-encoded certificates
Cloud credentialsAWS secret keys, GCP service account keys, Azure connection strings

2. Scrubbing

Identified secrets are replaced with *********. No sensitive values persist in readable form.
before-redaction.json
{
  "api_key": "sk_live_123456789abcdef",
  "database_url": "mongodb+srv://admin:s3cr3tP@[email protected]/prod",
  "auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
after-redaction.json
{
  "api_key": "*********",
  "database_url": "*********",
  "auth_token": "*********"
}

3. Secure Backup

TestDino retains an encrypted backup of the original unredacted files for authorized audit and incident investigation.
  • Encrypted at rest using AES-256
  • Access restricted to designated security administrators
  • Both versions follow the organization’s configured data retention policy
  • Backup access is logged for audit trail

4. Display

When viewing or downloading artifacts in the dashboard:
  • Detected secrets appear as *********
  • Redaction applies across all artifact types: traces, logs, console output
  • Original artifact structure and formatting is preserved. Only secret values are replaced.

What Gets Redacted

Artifact TypeRedaction Scope
Playwright tracesEnvironment variables, inline secrets, auth tokens in network request/response headers
Console outputLogged secrets, connection strings, token values
Test step errorsSecrets in error messages or stack traces
Network logsAuthorization headers, cookie values, API keys in URLs
Inline attachmentsSecrets in base64-decoded attachment content

What Does NOT Get Redacted

  • Test titles and descriptions (user-authored content)
  • File paths and line numbers
  • Non-secret environment metadata (OS, Node.js version, browser settings)
  • Git metadata (commit hashes, branch names, author names)
  • Test statistics and timing data

Infrastructure-Level Log Redaction

TestDino uses structured logging with built-in sensitive data redaction at the infrastructure level. This runs independently of the artifact redaction feature and is active on all plans.
  • Passwords, tokens, and API keys are stripped from application logs
  • Audit logs record user ID, action, resource, and IP address
Review what data is collected and how long it is retained.

Access to Customer Data

Full list of data TestDino collects

Data Retention

Retention periods by tier and data category