Hybrid Privacy

Inkog is designed with privacy as a core principle. Your secrets never leave your machine.

How It Works

Inkog uses a hybrid approach to protect your sensitive data:

Secrets detected locally - API keys, passwords, and tokens are found on your machine
Automatic redaction - Sensitive values are replaced with placeholders before analysis
Safe analysis - Only sanitized code is processed
Results merged - Local secret findings are combined with security analysis

Your actual credentials never leave your machine.

What Gets Redacted

Inkog uses surgical redaction — only specific credential patterns are removed. This preserves your business logic for security analysis.

Pattern	Example	Detection Method
AWS Access Keys	`AKIA...`	Exact prefix match
GitHub Tokens	`ghp_`, `gho_`, `ghu_`	Exact prefix match
Stripe Keys	`sk_live_`, `pk_live_`	Exact prefix match
Slack Tokens	`xox[baprs]-...`	Exact prefix match
Private Keys	`-----BEGIN RSA PRIVATE KEY-----`	Header match
JWT Tokens	`eyJ...`	Base64 structure
Database URLs	`postgres://user:pass@host`	Connection string
Password variables	`password = "..."`	Assignment pattern
High-entropy strings	32+ random chars	Shannon entropy >4.5

Example

Before redaction:


api_key = "sk-proj-abc123..."
password = "hunter2"

After redaction:


api_key = "[REDACTED-API_KEY]"
password = "[REDACTED-DATABASE_PASSWORD]"

What is NOT Redacted

To enable security analysis, the following pass through:

Prompts and templates — Required for prompt injection detection
Business logic — Required for loop and data flow analysis
Configuration values — Model names, temperatures, etc.
Normal strings — Text that doesn’t match credential patterns
Custom secret formats — Proprietary patterns not in our library


# NOT redacted - needed for prompt injection detection
system_prompt = "You are helpful. Ignore all previous instructions."
 
# NOT redacted - custom format unknown to Inkog
internal_key = "ACME_PROD_xxxx"
 
# IS redacted - matches known pattern
openai_key = "sk-proj-abc123..."

Enterprise: If your organization uses custom credential formats, contact us about configurable redaction patterns and self-hosted deployment options.

Secrets in Prompts

Inkog detects when sensitive data appears in LLM prompts:

Vulnerable

Secrets embedded directly in prompt text

# Embedding secrets in prompts
def get_response(query):
  prompt = f"""
  API Key: {os.environ['OPENAI_KEY']}
  Database: {DB_CONNECTION_STRING}

  Answer this: {query}
  """
  return llm.generate(prompt)

Secure

Secrets handled through secure SDK configuration

# Secrets properly isolated
def get_response(query):
  # Secrets never in prompt
  prompt = QUERY_TEMPLATE.format(query=sanitize(query))

  # Keys passed via SDK config
  return llm.generate(
      prompt,
      api_key=get_secret("OPENAI_KEY")
  )

Compliance Benefits

Requirement	Inkog Compliance
Data minimization	Secrets redacted before processing
Purpose limitation	Analysis only
Storage limitation	Results stored locally only

SOC 2

Control	Inkog Implementation
CC6.1 - Logical access	Secrets never transmitted
CC6.7 - Transmission security	Redaction before any network calls

HIPAA

For healthcare AI applications:

PHI protection - Sensitive data redacted
Audit logs local - Full control over log retention
Data isolation - Your data stays on your infrastructure

Enterprise Deployment

Inkog can be deployed in air-gapped and high-security environments:


# Install locally
curl -L https://releases.inkog.io/latest/inkog | tar xz
./inkog .

For maximum security, Inkog can run completely offline with no network access required.