PII Mask Node
The piimask node detects and masks sensitive substrings inside the fields you select. Built-in detectors cover common PII categories (email, phone, SSN, credit card, IPv4, IPv6), and you can add custom regex patterns for anything else. Only matched substrings are replaced; the rest of the field value is left intact.
Key Features
- Built-in detectors: Email, Phone, SSN, Credit Card, IPv4, IPv6 — enable any combination
- Custom regex patterns: define your own matchers with configurable replacement tokens
- Flexible path targeting: scan a single field, a nested field, or every string in an entire object subtree using wildcard paths
- Non-destructive: only the matched substring is replaced; structure and non-string values are untouched
Attaching PII Mask Node Using SDK
ZephFlow flow = ZephFlow.startFlow();
flow.appendNode("piimask", config);
Config Object
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
targets | List<String> | Yes | — | Field paths to scan. Supports explicit paths ($.field, $.parent.child) and wildcard paths ($.*, $.parent.*). |
detectors | Detectors | No | — | Built-in detector toggles. Omit a detector to disable it. |
customPatterns | List<CustomPattern> | No | — | Zero or more custom regex matchers. |
Detectors Object
| Field | Type | Description | Default token |
|---|---|---|---|
email | DetectorConfig | Email address detector | [EMAIL] |
phone | DetectorConfig | Phone number detector | [PHONE] |
ssn | DetectorConfig | US Social Security Number detector | [SSN] |
creditCard | DetectorConfig | Credit card number detector (Luhn-validated) | [CC] |
ipv4 | DetectorConfig | IPv4 address detector (octet-validated) | [IPV4] |
ipv6 | DetectorConfig | IPv6 address detector | [IPV6] |
Set a field to a DetectorConfig object to enable it. A null field disables that detector.
DetectorConfig Object
| Field | Type | Required | Description |
|---|---|---|---|
replacement | String | No | Custom replacement token. If null, the detector's default token is used. |
CustomPattern Object
| Field | Type | Required | Description |
|---|---|---|---|
name | String | Yes | Identifier used in logs and error messages (e.g. api_key). |
pattern | String | Yes | Regular expression to search for. |
replacement | String | Yes | Literal string substituted for each match (e.g. [API_KEY]). |
Target Path Syntax
Paths use a dotted $-prefix notation:
- Explicit —
$.fieldor$.parent.child: scans the string value at that exact path, or each string element if the leaf is an array. - Wildcard —
$.*or$.parent.*: navigates to the named prefix object, then recursively scans every string value in that subtree (including deeply nested objects and array elements). The*must be the last segment.
Non-string values (numbers, booleans, objects) are always skipped. Missing paths are silently ignored.
Examples
Mask email and phone in a single field
{
"targets": ["$.message"],
"detectors": {
"email": {},
"phone": {}
}
}
Mask all PII in every field of a nested user object
{
"targets": ["$.user.*"],
"detectors": {
"email": {},
"phone": {},
"ssn": {},
"creditCard": {}
}
}
Mask the entire top-level record with a custom API key pattern
{
"targets": ["$.*"],
"detectors": {
"email": {}
},
"customPatterns": [
{
"name": "api_key",
"pattern": "[A-Za-z0-9]{32}",
"replacement": "[API_KEY]"
}
]
}
Custom replacement tokens
{
"targets": ["$.body"],
"detectors": {
"email": { "replacement": "***@***.***" },
"ssn": { "replacement": "XXX-XX-XXXX" }
}
}
Behavior Notes
- Missing paths: If a target path does not exist on a record, the record passes through unchanged — no error is produced.
- Non-string leaf values: Numbers, booleans, and nested objects at the target path are silently skipped.
- Multiple detectors: All enabled detectors and custom patterns are applied in a single pass; overlapping matches may interact depending on match order.
- Credit card validation: The credit card detector applies Luhn checksum validation, so patterns that pass the regex but fail Luhn are not masked.
- IPv4 octet range: Each octet is validated to be 0–255; out-of-range values are not masked.