// redaction & security
Redaction & Security
Rekord is safe by default. A dedicated scanner reports secrets before anything leaves your machine, and redaction happens on export — your recorded source files are never modified.
Scan a session
$ rekord scan monocron-demo ✓ no secrets found · 3 patterns checked
When something matches, Rekord tells you exactly where. Add --strict to exit non-zero so a scan can gate a CI step or a pre-share hook.
$ rekord scan monocron-demo --strict ! AWS key matched · event 14 · stdout ✗ 1 secret found (exit 1)
Redact on export
Scanning only reports. To actually strip secrets, redact when you export or hand off — the generated output is cleaned while the raw session stays intact.
$ rekord export monocron-demo --to markdown --redact ✓ wrote demo.md · 1 secret redacted → ■■■■■■■■■■
▋ security
Turn redaction on by default in config (privacy.redact: true) and add your own privacy.redactPatterns. Use --no-redact to override per export.
Privacy rules
- Everything stays local. There is no account, no sync, and zero telemetry.
- Sessions are plain files under
~/.rekord/— inspect or delete them anytime. - Add
~/.rekord/to your global.gitignoreso recordings never land in a repo by accident.