> ## Documentation Index
> Fetch the complete documentation index at: https://docs.testdino.com/llms.txt
> Use this file to discover all available pages before exploring further.

# TestDino Data Redaction for Playwright

> TestDino automatically detects and scrubs secrets, tokens, and API keys from Playwright trace files and test artifacts before storing them.

TestDino scans test artifacts for secrets and replaces them with masked values before they appear in the dashboard. This prevents accidental exposure of tokens, passwords, API keys, and credentials during debugging and review.

<Note>
  **Note**

  Data Redaction is an Enterprise plan feature. Contact **[support@testdino.com](mailto:support@testdino.com)** to enable it.
</Note>

## Quick Reference

| Item                                      | Description                                                   |
| :---------------------------------------- | :------------------------------------------------------------ |
| [Detected Patterns](#detected-patterns)   | API keys, tokens, passwords, connection strings, private keys |
| [Redaction Process](#how-redaction-works) | Detection, scrubbing, backup, and display                     |
| [Scope](#what-gets-redacted)              | Traces, console output, errors, network logs, attachments     |
| [Exclusions](#what-does-not-get-redacted) | Test titles, file paths, git metadata, timing data            |

***

## How Redaction Works

### 1. Detection

When artifacts (traces, logs, console output) are uploaded, the system scans content for patterns matching sensitive information.

### Detected Patterns

| Pattern Type          | Examples                                                            |
| :-------------------- | :------------------------------------------------------------------ |
| API keys              | `sk_live_*`, `sk_test_*`, `api_key_*`, `AKIA*` (AWS)                |
| Authentication tokens | Bearer tokens, JWT tokens, OAuth access/refresh tokens              |
| Passwords             | Password fields in configuration, connection strings                |
| Environment variables | `DATABASE_URL`, `SECRET_KEY`, `PRIVATE_KEY`, custom secrets         |
| Connection strings    | Database URIs containing credentials                                |
| Private keys          | RSA/EC private key blocks, PEM-encoded certificates                 |
| Cloud credentials     | AWS secret keys, GCP service account keys, Azure connection strings |

### 2. Scrubbing

Identified secrets are replaced with `*********`. No sensitive values persist in readable form.

```json before-redaction.json theme={null}
{
  "api_key": "sk_live_123456789abcdef",
  "database_url": "mongodb+srv://admin:s3cr3tP@ss@cluster.mongodb.net/prod",
  "auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
```

```json after-redaction.json theme={null}
{
  "api_key": "*********",
  "database_url": "*********",
  "auth_token": "*********"
}
```

### 3. Secure Backup

TestDino retains an encrypted backup of the original unredacted files for authorized audit and incident investigation.

* Encrypted at rest using AES-256
* Access restricted to designated security administrators
* Both versions follow the organization's configured [data retention policy](/data-privacy/data-retention)
* Backup access is logged for audit trail

### 4. Display

When viewing or downloading artifacts in the dashboard:

* Detected secrets appear as `*********`
* Redaction applies across all artifact types: traces, logs, console output
* Original artifact structure and formatting is preserved. Only secret values are replaced.

## What Gets Redacted

| Artifact Type      | Redaction Scope                                                                        |
| :----------------- | :------------------------------------------------------------------------------------- |
| Playwright traces  | Environment variables, inline secrets, auth tokens in network request/response headers |
| Console output     | Logged secrets, connection strings, token values                                       |
| Test step errors   | Secrets in error messages or stack traces                                              |
| Network logs       | Authorization headers, cookie values, API keys in URLs                                 |
| Inline attachments | Secrets in base64-decoded attachment content                                           |

## What Does NOT Get Redacted

* Test titles and descriptions (user-authored content)
* File paths and line numbers
* Non-secret environment metadata (OS, Node.js version, browser settings)
* Git metadata (commit hashes, branch names, author names)
* Test statistics and timing data

## Infrastructure-Level Log Redaction

TestDino uses structured logging with built-in sensitive data redaction at the infrastructure level. This runs independently of the artifact redaction feature and is active on all plans.

* Passwords, tokens, and API keys are stripped from application logs
* Audit logs record user ID, action, resource, and IP address

## Related

Review what data is collected and how long it is retained.

<CardGroup cols={2}>
  <Card title="Access to Customer Data" icon="database" href="/data-privacy/access-to-customer-data">
    Full list of data TestDino collects
  </Card>

  <Card title="Data Retention" icon="clock" href="/data-privacy/data-retention">
    Retention periods by tier and data category
  </Card>
</CardGroup>
