Expand description
Allowlist for suppressing specific values from sanitization.
Values matching an allowlist entry pass through the output unchanged and
are not recorded in the MappingStore.
This means they also won’t propagate to the Phase 2 augmented scanner as
discovered literals — a value that is allowed stays allowed everywhere.
§Pattern syntax
Three pattern forms are supported:
| Pattern | Matches |
|---|---|
localhost | Exactly localhost |
*.internal | Any value ending with .internal (glob) |
192.168.1.* | Any value starting with 192.168.1. (glob) |
user-*@corp.com | Prefix + suffix glob |
regex:^192\.168\.[0-9]+\.[0-9]+$ | Full regex match |
Glob patterns use * as the only wildcard (matches any sequence of
characters). Multiple * wildcards are supported. Globs are
case-insensitive by default (see AllowlistMatcher::new_case_sensitive).
Regex patterns are prefixed with regex:. The remainder is compiled as
a regex::Regex and matched against the full value. Regex patterns are
always case-sensitive; use the (?i) flag inside the pattern for
case-insensitive matching. The regex: prefix is stripped before
compiling, so regex:^foo$ compiles to ^foo$.
If a regex fails to compile, a warning is returned and the pattern is skipped (the matcher continues without it rather than panicking).
If a plain pattern (no *, no regex: prefix) contains regex
metacharacters (^, $, +, (, )), a warning is emitted suggesting
the regex: prefix — those characters are still matched literally in the
plain form.
Structs§
- Allowlist
Matcher - Compiled allowlist that can be queried concurrently.