DEV Community: gn000q The latest articles on DEV Community by gn000q (@gn000q). https://dev.to/gn000q https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3875275%2F46299f1a-5ee6-4734-ab01-1527d3d9735f.png DEV Community: gn000q https://dev.to/gn000q en Zero-Allocation PII Redaction in Go: Processing 780MB of Logs in Under 3 Minutes gn000q Tue, 14 Apr 2026 12:10:00 +0000 https://dev.to/gn000q/zero-allocation-pii-redaction-in-go-processing-780mb-of-logs-in-under-3-minutes-5fgm https://dev.to/gn000q/zero-allocation-pii-redaction-in-go-processing-780mb-of-logs-in-under-3-minutes-5fgm <h1> Zero-Allocation PII Redaction in Go: Processing 780MB of Logs in Under 3 Minutes </h1> <p>Every team feeding logs to LLMs has the same dirty secret: those logs are full of emails, IP addresses, credit card numbers, and government IDs. I know because I built a tool to find them.</p> <p>After scanning 10GB of production logs at work, I found <strong>47,000+ PII instances</strong> — emails, IPs, phone numbers — all sitting in plain text, waiting to be piped into ChatGPT or fine-tuning datasets.</p> <p>So I built a local-first PII redaction engine in pure Go. No cloud. No API keys. No telemetry. This post breaks down the engineering decisions that made it fast.</p> <h2> The Problem: PII Leaks in AI Pipelines </h2> <p>The AI workflow looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Production Logs → Pre-processing → LLM API / Fine-tuning </code></pre> </div> <p>The gap is between step 1 and step 2. Most teams skip sanitization because:</p> <ol> <li> <strong>Cloud DLP services</strong> (Google, AWS Macie) require uploading your data — defeating the purpose</li> <li> <strong>Python-based tools</strong> (Presidio, scrubadub) are slow on large log files and need heavy dependencies</li> <li> <strong>Manual regex</strong> is fragile and doesn't handle context (is <code>1.2.3.4</code> an IP or a version number?)</li> </ol> <p>I needed something that could:</p> <ul> <li>Process 780MB in &lt; 3 minutes on a single machine</li> <li>Run <strong>100% offline</strong> — no network calls, ever</li> <li>Handle 11+ PII types across 7 jurisdictions (GDPR, HIPAA, CCPA, PIPL, APPI, PDPA)</li> <li>Produce consistent tokenization for AI training (<code>user@test.com</code> → <code>[EMAIL_0001]</code> everywhere)</li> </ul> <h2> Architecture: Why Go, and Why Zero-Allocation </h2> <p>Go was chosen for one reason: <strong>predictable memory behavior at high throughput</strong>. No GC pauses, no JIT warmup, no pip dependency hell.</p> <p><strong>CLI / GUI Entry</strong><br> → Fyne GUI (drag &amp; drop) | CLI Mode (batch processing)<br> → <strong>Compliance Profiles</strong> (PIPL / GDPR / CCPA / HIPAA / APPI / PDPA)<br> → <strong>Core Engine</strong> — pure <code>[]byte</code> pipeline:<br> <code>PreFilter → Regex → Validate → Tokenize → Write</code><br> powered by <code>sync.Pool</code> · lock-free stats · streaming I/O</p> <p>The engine never converts <code>[]byte</code> to <code>string</code> in the hot path. Here's why that matters:</p> <h3> Trick 1: PreFilter Byte Probes </h3> <p>Before running regex (expensive), every line passes through a cheap byte probe:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Pattern</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">ID</span> <span class="kt">string</span> <span class="n">Name</span> <span class="kt">string</span> <span class="n">Regex</span> <span class="o">*</span><span class="n">regexp</span><span class="o">.</span><span class="n">Regexp</span> <span class="n">PreFilter</span> <span class="k">func</span><span class="p">(</span><span class="n">line</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">bool</span> <span class="c">// ← fast reject</span> <span class="n">Validate</span> <span class="k">func</span><span class="p">(</span><span class="n">match</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">bool</span> <span class="c">// ← context-aware</span> <span class="p">}</span> </code></pre> </div> <p>For example, the email pattern's PreFilter just checks if the line contains <code>@</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">PreFilter</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">line</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="k">return</span> <span class="n">bytes</span><span class="o">.</span><span class="n">ContainsRune</span><span class="p">(</span><span class="n">line</span><span class="p">,</span> <span class="sc">'@'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Result</strong>: ~80% of lines are skipped before regex runs. On a 780MB server log, this saves ~45 seconds.</p> <h3> Trick 2: sync.Pool Buffer Reuse </h3> <p>Every output line needs a buffer. Allocating and GC'ing millions of buffers kills throughput:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">var</span> <span class="n">bufPool</span> <span class="o">=</span> <span class="n">sync</span><span class="o">.</span><span class="n">Pool</span><span class="p">{</span> <span class="n">New</span><span class="o">:</span> <span class="k">func</span><span class="p">()</span> <span class="k">interface</span><span class="p">{}</span> <span class="p">{</span> <span class="n">b</span> <span class="o">:=</span> <span class="nb">make</span><span class="p">([]</span><span class="kt">byte</span><span class="p">,</span> <span class="m">0</span><span class="p">,</span> <span class="m">4096</span><span class="p">)</span> <span class="k">return</span> <span class="o">&amp;</span><span class="n">b</span> <span class="p">},</span> <span class="p">}</span> <span class="c">// In hot loop:</span> <span class="n">bp</span> <span class="o">:=</span> <span class="n">bufPool</span><span class="o">.</span><span class="n">Get</span><span class="p">()</span><span class="o">.</span><span class="p">(</span><span class="o">*</span><span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="n">buf</span> <span class="o">:=</span> <span class="p">(</span><span class="o">*</span><span class="n">bp</span><span class="p">)[</span><span class="o">:</span><span class="m">0</span><span class="p">]</span> <span class="c">// reset length, keep capacity</span> <span class="c">// ... write to buf ...</span> <span class="n">bufPool</span><span class="o">.</span><span class="n">Put</span><span class="p">(</span><span class="n">bp</span><span class="p">)</span> <span class="c">// return to pool</span> </code></pre> </div> <p><strong>Result</strong>: heap allocations drop from millions to ~50. GC pressure essentially zero.</p> <h3> Trick 3: Context-Aware Validation </h3> <p>The regex for IPv4 (<code>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b</code>) matches version numbers like <code>1.2.3.4</code> and file paths like <code>data.2024.01.15</code>. The Validate callback handles this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="n">Validate</span><span class="o">:</span> <span class="k">func</span><span class="p">(</span><span class="n">match</span> <span class="p">[]</span><span class="kt">byte</span><span class="p">)</span> <span class="kt">bool</span> <span class="p">{</span> <span class="c">// Reject if preceded by "version", "v", "=" etc.</span> <span class="c">// Reject if all octets &gt; 255</span> <span class="c">// Reject if it looks like a date pattern</span> <span class="k">return</span> <span class="n">isLikelyIP</span><span class="p">(</span><span class="n">match</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>This eliminated <strong>94% of false positives</strong> in our production logs without sacrificing recall.</p> <h3> Trick 4: RWMutex Tokenization </h3> <p>For AI training data, you need consistent tokens: the same email should always map to <code>[EMAIL_0001]</code>. The tokenizer uses a read-write split:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight go"><code><span class="k">type</span> <span class="n">Tokenizer</span> <span class="k">struct</span> <span class="p">{</span> <span class="n">mu</span> <span class="n">sync</span><span class="o">.</span><span class="n">RWMutex</span> <span class="n">tokens</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">string</span> <span class="n">counts</span> <span class="k">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="kt">int</span> <span class="p">}</span> <span class="k">func</span> <span class="p">(</span><span class="n">t</span> <span class="o">*</span><span class="n">Tokenizer</span><span class="p">)</span> <span class="n">GetToken</span><span class="p">(</span><span class="n">typ</span><span class="p">,</span> <span class="n">value</span> <span class="kt">string</span><span class="p">)</span> <span class="kt">string</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RLock</span><span class="p">()</span> <span class="k">if</span> <span class="n">tok</span><span class="p">,</span> <span class="n">ok</span> <span class="o">:=</span> <span class="n">t</span><span class="o">.</span><span class="n">tokens</span><span class="p">[</span><span class="n">key</span><span class="p">];</span> <span class="n">ok</span> <span class="p">{</span> <span class="n">t</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="k">return</span> <span class="n">tok</span> <span class="c">// fast path: read-only</span> <span class="p">}</span> <span class="n">t</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">RUnlock</span><span class="p">()</span> <span class="n">t</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Lock</span><span class="p">()</span> <span class="c">// ... create new token ...</span> <span class="n">t</span><span class="o">.</span><span class="n">mu</span><span class="o">.</span><span class="n">Unlock</span><span class="p">()</span> <span class="k">return</span> <span class="n">newToken</span> <span class="c">// slow path: only for first occurrence</span> <span class="p">}</span> </code></pre> </div> <p>In real logs, PII values repeat heavily. The RLock fast path handles ~95% of lookups with zero contention.</p> <h2> Benchmark: 780MB Production Log </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Input size</td> <td>780 MB (4.2M lines)</td> </tr> <tr> <td>PII instances found</td> <td>47,283</td> </tr> <tr> <td>Processing time</td> <td>2 min 48 sec</td> </tr> <tr> <td>Peak memory</td> <td>12 MB</td> </tr> <tr> <td>Throughput</td> <td>~4.6 MB/s</td> </tr> <tr> <td>False positive rate</td> <td>&lt; 0.3% (validated on 1,000 random samples)</td> </tr> </tbody> </table></div> <p>For comparison, a Python regex-based approach on the same file took <strong>23 minutes</strong> with 1.8GB peak memory.</p> <h2> Multi-Jurisdiction Compliance </h2> <p>The tool ships with 7 compliance profiles, each enabling only the PII patterns required by that jurisdiction:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Profile</th> <th>Jurisdiction</th> <th>What It Catches</th> </tr> </thead> <tbody> <tr> <td><code>default</code></td> <td>Full scan</td> <td>All 11 pattern types</td> </tr> <tr> <td><code>pipl</code></td> <td>China (PIPL)</td> <td>ID Card, CN Mobile, Email, IPv4</td> </tr> <tr> <td><code>gdpr</code></td> <td>EU (GDPR)</td> <td>Email, IPv4/v6, Credit Card</td> </tr> <tr> <td><code>ccpa</code></td> <td>California (CCPA)</td> <td>Email, IP, Phone, Credit Card, SSN</td> </tr> <tr> <td><code>hipaa</code></td> <td>US Medical (HIPAA)</td> <td>Email, Phone, SSN, IPv4</td> </tr> <tr> <td><code>appi</code></td> <td>Japan (APPI)</td> <td>Email, Phone, My Number, IPv4</td> </tr> <tr> <td><code>pdpa</code></td> <td>Singapore/Thailand</td> <td>Email, Phone, IPv4, ID Card</td> </tr> </tbody> </table></div> <p>Switch profiles with a single flag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>./pii_redactor <span class="nt">--input</span> server.log <span class="nt">--profile</span> gdpr <span class="nt">--output</span> clean.log </code></pre> </div> <h2> Audit Report </h2> <p>Every run generates an audit report — essential for compliance documentation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>═══════════════════════════════════════════ PII Redaction Audit Report ═══════════════════════════════════════════ File: server_2024.log Encoding: UTF-8 Lines: 4,218,903 Duration: 2m48s ───────────────────────────────────── PII Type Hits Examples ───────────────────────────────────── Email 12,847 user@corp.com → [EMAIL_0001] IPv4 28,102 10.0.0.1 → [IP_0001] Credit Card 891 4111...1111 → [CC_0001] Phone (Intl) 2,443 +1-202-... → [PHONE_0001] JWT 3,000 eyJhbG... → [JWT_0001] ═══════════════════════════════════════════ </code></pre> </div> <p>The tokenization map (<code>[EMAIL_0001]</code> ↔ original value) is kept in memory only during processing and never written to disk — zero data leakage by design.</p> <h2> Try It </h2> <p>The tool runs on Windows, macOS (Apple Silicon), and Linux. No dependencies, no Docker, no cloud account.</p> <p><strong>GitHub</strong>: <a href="https://github.com/gn000q/pii_redactor" rel="noopener noreferrer">github.com/gn000q/pii_redactor</a></p> <p><strong>Download pre-built binaries</strong>: <a href="https://gnqster.gumroad.com/l/pii-redactor-v2" rel="noopener noreferrer">PII Redactor V2 on Gumroad</a> — includes cross-platform binaries, sample test data, config templates, and a quick-start guide.</p> <h2> What's Next </h2> <p>I'm considering adding:</p> <ul> <li>YAML/JSON structured log parsing (currently handles flat text)</li> <li>Custom pattern loading from external config files</li> <li>Streaming mode for piped input (<code>tail -f | pii_redactor</code>)</li> </ul> <p><strong>What does your PII cleanup workflow look like?</strong> I'd love to hear if you're dealing with similar issues — especially if you're feeding logs to AI APIs.</p> go security ai privacy