Add sensitive data masking support

[TharmiganK]

Purpose

Fixes: ballerina-platform/ballerina-library#8211

Examples

Enable sensitive data masking

By default, sensitive data masking is disabled. Enable it in Config.toml:

[ballerina.log]
enableSensitiveDataMasking = true

Or configure it per logger:

log:Config secureConfig = {
    enableSensitiveDataMasking: true
};
log:Logger secureLogger = log:fromConfig(secureConfig);

Simple Example

import ballerina/log;

type User record {
    string id;
    @log:Sensitive
    string password;
    string name;
};

public function main() {
    User user = {id: "U001", password: "mypassword", name: "John Doe"};
    log:printInfo("user details", user = user);
}

Output (with masking enabled):

time=2025-08-20T09:15:30.123+05:30 level=INFO module="" message="user details" user={"id":"U001","name":"John Doe"}

Multiple Strategies

import ballerina/log;

isolated function maskString(string input) returns string {
    if input.length() <= 2 {
        return "****";
    }
    return input.substring(0, 1) + "****" + input.substring(input.length() - 1);
}

type User record {
    string id;
    @log:Sensitive{
        strategy: {
            replacement: "****"
        }   
    }
    string password;
    @log:Sensitive {
        strategy: {
            replacement: maskString
        }
    }
    string ssn;
    string name;
};

Masked String Function

User user = {id: "U001", password: "mypassword", name: "John Doe"};
string maskedUser = log:toMaskedString(user);
io:println(maskedUser); // {"id":"U001","name":"John Doe"}

Checklist

• Linked to an issue
• Updated the changelog
• Added tests
• Updated the spec
• Checked native-image compatibility

[codecov]

Codecov Report

❌ Patch coverage is 79.51807% with 68 lines in your changes missing coverage. Please review.
✅ Project coverage is 81.67%. Comparing base (cda83f8) to head (42156dd).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
...a/io/ballerina/stdlib/log/MaskedStringBuilder.java	77.44%	43 Missing and 24 partials ⚠️
ballerina/natives.bal	94.44%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #1343      +/-   ##
============================================
- Coverage     90.75%   81.67%   -9.09%     
- Complexity        7       81      +74     
============================================
  Files             6        8       +2     
  Lines           238      562     +324     
  Branches         59      114      +55     
============================================
+ Hits            216      459     +243     
- Misses           19       76      +57     
- Partials          3       27      +24     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TharmiganK]

Pending tasks:

• Add integration tests with log functions
• Update specification
• Add BBEs - Tracked via Create a BBE for Sensitive Data Masking Feature ballerina-library#8326

[Copilot]

Pull Request Overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 3 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[ThisaruGuruge]

LGTM

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud