Kong provides several AI PII Anonymizer service Docker images in a private repository. Each image includes a built-in NLP model and is tagged using the version-lang_code
format. For example:
-
service:v0.1.2-en
: English model, version 0.1.2
-
service:v0.1.2-it
: Italian model, version 0.1.2
-
service:v0.1.2-fr
: French model, version 0.1.2
All models are bundled into a single image per version, tagged using the format v<version>
. For example: v0.1.2
If you need to add or modify models, edit the configuration file at ai_pii_service/nlp_engine_conf.yml
.
Kong distributes these images via a private Cloudsmith registry. Contact Kong Support to request access.
To pull images, you must authenticate first with the token provided by the Support:
docker login docker.cloudsmith.io
Docker will then prompt you to enter username and password:
Username: kong/ai-pii
Password: YOUR-TOKEN
This is a token-based login with read-only access. You can pull images but not push them.
To pull an image:
docker pull docker.cloudsmith.io/kong/ai-pii/IMAGE-NAME:TAG
Replace IMAGE-NAME
and TAG
with the appropriate image and version, such as:
docker pull docker.cloudsmith.io/kong/ai-pii/service:v0.1.2-en
To use an image in a Dockerfile
, reference it as follows:
FROM docker.cloudsmith.io/kong/ai-pii/ai-pii-service:v0.1.2-en
The following language-specific images are currently available:
-
-en
(English)
-
-fr
(French)
-
-de
(German)
-
-it
(Italian)
-
-ja
(Japanese)
-
-pt
(Portuguese)
-
-ko
(Korean)
The PII Anonymizer service loads one NLP model by default. Ensure at least 600MB of free memory is available when running the container.
This service takes the following optional environment variables at startup:
-
GUNICORN_WORKERS
: Specifies the number of Gunicorn processes to run
-
PII_SERVICE_ENGINE_CONF
: Specifies the natural language processing (NLP) engine configuration file
-
GUNICORN_LOG_LEVEL
: Specifies log level
-
POST /llm/v1/sanitize
: Sanitize specified types of PII information, including credentials, and custom patterns
-
POST /llm/v1/sanitize_credentials
: Only for sanitizing credentials
You can anonymize data in requests using the following redact modes:
-
placeholder
: Replaces sensitive data with a fixed placeholder pattern, PLACEHOLDER{i}
, where i
is a sequence number. Identical original values receive the same placeholder.
For example, the location New York City
might be replaced with LOCATION
.
-
synthetic
: Redact the sensitive data with a word in the same type.
For example, the name John
might be replaced with Amir
.
- Custom patterns are replaced with
CUSTOM{i}
.
- Credentials are replaced with a string of
#
characters matching the original length.
You can define an array of custom patterns on a per-request basis.
Currently, only regex patterns are supported, and all fields are required: name
, regex
, and score
.
The name
must be unique for each pattern.
You can use the following fields in the anonymize
array:
-
general
: Anonymizes general PII entities such as person names, locations, and organizations.
-
phone
: Anonymizes phone numbers (for example, mobile
, landline
).
-
email
: Anonymizes email addresses.
-
creditcard
: Anonymizes credit card numbers.
-
crypto
: Anonymizes cryptocurrency addresses.
-
date
: Anonymizes dates and timestamps.
-
ip
: Anonymizes IP addresses (both IPv4 and IPv6).
-
nrp
: Anonymizes a person’s nationality, religious, or political group.
-
ssn
: Anonymizes Social Security Numbers (SSN) and other related identifiers like ITIN, NIF, ABN, and more.
-
domain
: Anonymizes domain names.
-
url
: Anonymizes web URLs.
-
medical
: Anonymizes medical identifiers (for example, medical license numbers, NHS numbers, medicare numbers).
-
driverlicense
: Anonymizes driver’s license numbers.
-
passport
: Anonymizes passport numbers.
-
bank
: Anonymizes bank account numbers and related banking identifiers (for example, VAT codes, IBAN).
-
nationalid
: Anonymizes various national identification numbers (for example, Aadhaar, PESEL, NRIC, social security, or voter IDs).
-
custom
: Anonymizes user-defined custom PII patterns using regular expressions only when custom patterns are provided.
-
credentials
: Anonymizes the credentials, similar to /sanitize_credentials
.
-
all
: Includes all the fields above, including custom ones.