Guardrails are an enterprise-only feature. They require the enterprise Bifrost image.
Credential and endpoint fields in guardrail provider
config blocks support env.* references (e.g. env.AWS_SECRET_ACCESS_KEY). Bifrost resolves the value from the process environment at startup. See the Environment Variable Support section for the complete per-provider field list.bifrost.guardrails in your values file. The configuration has two parts:
providers- the backend that performs the check. Rules link to providers byid.rules- CEL expressions that control when and where providers are invoked.
Providers
- Regex
- Secrets
- Presidio
- Azure AI Language PII
- AWS Bedrock
- Azure Content Safety
- Google Model Armor
- CrowdStrike AIDR
- Patronus AI
- Gray Swan
Runs entirely in-process with no external dependency. Patterns use RE2 syntax. Supports optional per-pattern flags: The Web UI’s PII Detection template is also a
i (case-insensitive), m (multiline), s (dot-all). Each pattern can detect_only, block, or redact.bifrost:
guardrails:
providers:
- id: 1
provider_name: "regex"
policy_name: "redact-sensitive-patterns"
enabled: true
timeout: 5
config:
patterns:
- pattern: "[A-Z0-9._%+-]+@[A-Z0-9.-]+\\.[A-Z]{2,}"
description: "Email address"
entity_type: "EMAIL"
flags: "i"
action: "redact"
redaction_strategy: "replace"
redaction_mode: "runtime_reversible"
- pattern: "AKIA[0-9A-Z]{16}"
description: "AWS access key"
entity_type: "AWS_ACCESS_TOKEN"
action: "redact"
redaction_strategy: "replace"
redaction_mode: "logs_only"
sampling_rate: 100
regex provider configuration. See Custom Regex for the full examples, and Guardrail Redaction for redaction mode behavior.Runs entirely in-process with no external dependency. Uses the embedded default Gitleaks rules to detect leaked credentials, API keys, tokens, private keys, and similar secret-shaped values.
bifrost:
guardrails:
providers:
- id: 2
provider_name: "secrets"
policy_name: "block-leaked-credentials"
enabled: true
timeout: 5
config:
ignored_secret_keywords:
- "example"
- "dummy"
- "sample-token"
action: "redact"
redaction_strategy: "replace"
redaction_mode: "logs_only"
ignored_secret_keywords is optional. It suppresses a detection when the matched secret value contains one of the listed substrings. Keep these values narrow so real leaked credentials are not hidden.Calls a Microsoft Presidio Analyzer service for PII detection. Use See Microsoft Presidio for provider setup details.
action: "redact" to apply Bifrost-managed redaction to Presidio findings.bifrost:
guardrails:
providers:
- id: 3
provider_name: "presidio"
policy_name: "presidio-pii-redaction"
enabled: true
timeout: 10
config:
analyzer_url: "https://presidio.company.com"
api_key: "env.PRESIDIO_API_KEY"
language: "en"
score_threshold: 0.75
entities:
- "EMAIL_ADDRESS"
- "PHONE_NUMBER"
- "PERSON"
action: "redact"
redaction_strategy: "replace"
redaction_mode: "runtime_reversible"
Calls Azure AI Language PII Entity Recognition. This is separate from Azure Content Safety and is focused on PII categories.See Azure AI Language PII for authentication modes and category filtering.
bifrost:
guardrails:
providers:
- id: 4
provider_name: "azure-pii"
policy_name: "azure-language-pii-redaction"
enabled: true
timeout: 10
config:
endpoint: "env.AZURE_LANGUAGE_ENDPOINT"
auth_type: "api_key"
api_key: "env.AZURE_LANGUAGE_KEY"
language: "en"
domain: "none"
pii_categories:
- "Email"
- "PhoneNumber"
- "USSocialSecurityNumber"
action: "redact"
redaction_strategy: "replace"
redaction_mode: "runtime_reversible"
logging_opt_out: true
Supports three auth modes:
keys (static credentials), api_key (Bedrock API key), and iam_role (ambient IAM/IRSA - no explicit credentials required).bifrost:
guardrails:
providers:
- id: 2
provider_name: "bedrock"
policy_name: "content-filter"
enabled: true
timeout: 15
config:
# Required fields
guardrail_arn: "env.BEDROCK_GUARDRAIL_ARN"
guardrail_version: "DRAFT" # or a published version number
region: "env.AWS_REGION"
# Auth: keys (default)
auth_type: "keys"
access_key: "env.AWS_ACCESS_KEY_ID"
secret_key: "env.AWS_SECRET_ACCESS_KEY"
session_token: "env.AWS_SESSION_TOKEN" # optional
# Auth: api_key (alternative)
# auth_type: "api_key"
# bedrock_api_key: "env.BEDROCK_API_KEY"
# Auth: iam_role (ambient - no credentials needed)
# auth_type: "iam_role"
# role_arn: "env.AWS_ROLE_ARN" # optional: assume specific role
# external_id: "env.AWS_EXTERNAL_ID" # optional
# session_name: "env.AWS_SESSION_NAME" # optional
sampling_rate: 100
Supports three auth modes:
api_key, default_credential (managed identity / Azure CLI), and entra_id (service principal).bifrost:
guardrails:
providers:
- id: 3
provider_name: "azure"
policy_name: "azure-content-safety"
enabled: true
timeout: 10
config:
# Required field
endpoint: "env.AZURE_CONTENT_SAFETY_ENDPOINT"
# Auth: api_key (default)
auth_type: "api_key"
api_key: "env.AZURE_CONTENT_SAFETY_KEY"
# Auth: default_credential (managed identity / Azure CLI - no credentials needed)
# auth_type: "default_credential"
# Auth: entra_id (service principal)
# auth_type: "entra_id"
# client_id: "env.AZURE_CLIENT_ID"
# client_secret: "env.AZURE_CLIENT_SECRET"
# tenant_id: "env.AZURE_TENANT_ID"
# Feature toggles (plain booleans - no env.* support)
analyze_enabled: true
analyze_severity_threshold: "medium" # low | medium | high (env.* supported)
jailbreak_shield_enabled: true
indirect_attack_shield_enabled: true
copyright_enabled: false
text_blocklist_enabled: false
blocklist_names: []
sampling_rate: 100
Calls Google Cloud Model Armor’s template sanitize endpoints for prompt and response safety checks. Supports
default_credential (Google ADC) and service_account_json authentication.bifrost:
guardrails:
providers:
- id: 4
provider_name: "model-armor"
policy_name: "model-armor-prod"
enabled: true
timeout: 30
config:
# Required fields
project_id: "env.GCP_PROJECT_ID"
location: "env.GCP_LOCATION"
template_id: "env.GMA_TEMPLATE_ID"
# Auth: default_credential (Google ADC)
auth_type: "default_credential"
# Auth: service_account_json (alternative)
# auth_type: "service_account_json"
# service_account_json: "env.GOOGLE_MODEL_ARMOR_SERVICE_ACCOUNT_JSON"
# Optional proxy or custom endpoint. Usually leave unset.
# base_url: "env.GOOGLE_MODEL_ARMOR_BASE_URL"
Calls CrowdStrike AIDR’s
guard_chat_completions endpoint for policy-driven AI threat detection, blocking, and redaction.bifrost:
guardrails:
providers:
- id: 4
provider_name: "crowdstrike-aidr"
policy_name: "crowdstrike-aidr-prod"
enabled: true
timeout: 30
config:
api_key: "env.CS_AIDR_TOKEN"
base_url: "env.CS_AIDR_BASE_URL"
app_id: "bifrost-production"
collector_instance_id: "prod-us-east-1"
base_url is optional and defaults to https://api.crowdstrike.com/aidr/aiguard. Bifrost appends /v1/guard_chat_completions, so the base URL can be the collector base URL rather than the full endpoint URL.bifrost:
guardrails:
providers:
- id: 5
provider_name: "patronus-ai"
policy_name: "patronus-eval"
enabled: true
timeout: 30
config:
api_key: "env.PATRONUS_API_KEY"
base_url: "https://api.patronus.ai" # optional custom endpoint (env.* supported)
evaluators:
- evaluator: "pii"
explain_strategy: "on-fail"
- evaluator: "judge"
criteria: "patronus:is-concise"
explain_strategy: "on-fail"
capture: "none" # none | fails-only | all
bifrost:
guardrails:
providers:
- id: 6
provider_name: "grayswan"
policy_name: "grayswan-jailbreak"
enabled: true
timeout: 15
config:
api_key: "env.GRAYSWAN_API_KEY"
base_url: "env.GRAYSWAN_BASE_URL" # optional custom endpoint (env.* supported)
reasoning_mode: "standard" # standard | fast | off (env.* supported)
# Plain-value fields (no env.* support)
violation_threshold: 0.7 # 0.0–1.0; higher = more permissive
policy_id: "" # optional: single policy ID
policy_ids: [] # optional: multiple policy IDs
rules: {} # optional: inline rule map
sampling_rate: 100
metadata.headers; no extra Helm value is required. Credential-bearing headers such as authorization, x-api-key, API-key variants, cookies, and grayswan-api-key are excluded, while non-sensitive context headers such as x-request-id, traceparent, x-tenant-id, content-type, and content-length are included when present.Environment Variable Support
Any field marked env.* supported below accepts a bare"env.VAR_NAME" string in addition to a literal value. Bifrost resolves the variable from the process environment at startup. Fields marked plain only must be a literal value (boolean, number, array, or string).
AWS Bedrock
| Field | Required | env.* supported | Notes |
|---|---|---|---|
guardrail_arn | Yes | Yes | ARN of the Bedrock guardrail |
guardrail_version | Yes | Yes | "DRAFT" or a published version number |
region | Yes | Yes | AWS region (e.g. "us-east-1") |
auth_type | No | Yes | "keys" (default) | "api_key" | "iam_role" |
access_key | Conditional | Yes | Required when auth_type="keys" |
secret_key | Conditional | Yes | Required when auth_type="keys" |
session_token | No | Yes | Optional temporary session token |
bedrock_api_key | Conditional | Yes | Required when auth_type="api_key" |
role_arn | No | Yes | IAM role ARN to assume (optional, auth_type="iam_role") |
external_id | No | Yes | External ID for role assumption |
session_name | No | Yes | Session name for role assumption |
sampling_rate | No | Plain only | 0–100; percentage of requests to evaluate (default: 100) |
timeout | No | Plain only | Execution timeout in seconds |
Azure Content Safety
| Field | Required | env.* supported | Notes |
|---|---|---|---|
endpoint | Yes | Yes | Azure Content Safety resource URL |
auth_type | No | Yes | "api_key" (default) | "default_credential" | "entra_id" |
api_key | Conditional | Yes | Required when auth_type="api_key" |
client_id | Conditional | Yes | Required when auth_type="entra_id" |
client_secret | Conditional | Yes | Required when auth_type="entra_id" |
tenant_id | Conditional | Yes | Required when auth_type="entra_id" |
analyze_severity_threshold | No | Yes | "low" | "medium" | "high" (default: "medium") |
analyze_enabled | No | Plain only | Enable text analysis (default: true) |
jailbreak_shield_enabled | No | Plain only | Enable jailbreak detection (default: false) |
indirect_attack_shield_enabled | No | Plain only | Enable indirect attack detection (default: false) |
copyright_enabled | No | Plain only | Enable copyright detection (default: false) |
text_blocklist_enabled | No | Plain only | Enable custom blocklists (default: false) |
scopes | No | Plain only | OAuth scopes (string array) |
blocklist_names | No | Plain only | Blocklist names to apply (string array) |
sampling_rate | No | Plain only | 0–100; percentage of requests to evaluate (default: 100) |
timeout | No | Plain only | Execution timeout in seconds |
Microsoft Presidio
| Field | Required | env.* supported | Notes |
|---|---|---|---|
analyzer_url | Yes | Plain only | Presidio Analyzer base URL. Bifrost appends /analyze |
api_key | No | Yes | Optional API key for the Analyzer service |
language | No | Plain only | Language sent to Presidio (default: en) |
score_threshold | No | Plain only | 0-1; minimum score to keep (default: 0.5) |
entities | No | Plain only | Presidio entity types to detect |
action | No | Plain only | detect_only | block | redact (default: detect_only) |
redaction_strategy | No | Plain only | replace | mask | hash (default: replace) |
redaction_mode | No | Plain only | runtime | logs_only | runtime_reversible (default: runtime) |
timeout | No | Plain only | Execution timeout in seconds |
Azure AI Language PII
| Field | Required | env.* supported | Notes |
|---|---|---|---|
endpoint | Yes | Yes | Azure AI Language endpoint |
auth_type | No | Yes | api_key | default_credential | entra_id (default: api_key) |
api_key | Conditional | Yes | Required when auth_type="api_key" |
client_id | Conditional | Yes | Required when auth_type="entra_id" |
client_secret | Conditional | Yes | Required when auth_type="entra_id" |
tenant_id | Conditional | Yes | Required when auth_type="entra_id" |
scopes | No | Plain only | OAuth scopes for token authentication |
api_version | No | Plain only | Azure Language API version (default: 2026-05-01) |
language | No | Plain only | Document language (default: en) |
model_version | No | Plain only | Azure model version (default: latest) |
domain | No | Plain only | none | phi (default: none) |
pii_categories | No | Plain only | Azure PII categories to detect |
action | No | Plain only | detect_only | block | redact (default: detect_only) |
redaction_strategy | No | Plain only | replace | mask | hash (default: replace) |
redaction_mode | No | Plain only | runtime | logs_only | runtime_reversible (default: runtime) |
logging_opt_out | No | Plain only | Requests Azure not to log input text when supported |
string_index_type | No | Plain only | Must be UnicodeCodePoint |
timeout | No | Plain only | Execution timeout in seconds |
Google Model Armor
| Field | Required | env.* supported | Notes |
|---|---|---|---|
project_id | Yes | Yes | Google Cloud project ID that owns the Model Armor template |
location | Yes | Yes | Model Armor template location |
template_id | Yes | Yes | Model Armor template ID |
auth_type | No | Yes | "default_credential" (default) | "service_account_json" |
service_account_json | Conditional | Yes | Required when auth_type="service_account_json"; full service account key JSON or env reference |
base_url | No | Yes | Custom endpoint or proxy. Defaults to the regional Model Armor endpoint for location |
timeout | No | Plain only | Execution timeout in seconds |
CrowdStrike AIDR
| Field | Required | env.* supported | Notes |
|---|---|---|---|
api_key | Yes | Yes | AIDR collector token |
base_url | No | Yes | AIDR base URL. Defaults to https://api.crowdstrike.com/aidr/aiguard |
app_id | No | Plain only | Application or service identifier shown in AIDR logs |
collector_instance_id | No | Plain only | Deployment or collector instance label shown in AIDR logs |
timeout | No | Plain only | Provider execution timeout in seconds |
Patronus AI
| Field | Required | env.* supported | Notes |
|---|---|---|---|
api_key | Yes | Yes | Patronus AI API key |
base_url | No | Yes | Custom Patronus API base URL. Defaults to https://api.patronus.ai |
evaluators | Yes | Plain only | Array of Patronus evaluator objects |
evaluators[].evaluator | Yes | Plain only | Patronus evaluator name, such as pii, toxicity-perspective-api, judge, or a custom evaluator ID |
evaluators[].criteria | No | Plain only | Criteria/profile name for evaluators that require one, such as patronus:is-concise |
evaluators[].explain_strategy | No | Plain only | never | on-fail | on-success | always |
capture | No | Plain only | none | fails-only | all; defaults to none |
timeout | No | Plain only | Provider execution timeout in seconds |
Gray Swan
| Field | Required | env.* supported | Notes |
|---|---|---|---|
api_key | Yes | Yes | Gray Swan API key |
base_url | No | Yes | Custom API base URL (uses Gray Swan default if unset) |
reasoning_mode | No | Yes | "standard" | "fast" | "off" (default: "standard") |
violation_threshold | No | Plain only | 0.0–1.0; higher = more permissive (default: 0.5) |
policy_id | No | Plain only | Single policy ID string |
policy_ids | No | Plain only | Multiple policy IDs (string array) |
rules | No | Plain only | Inline rule map ({ "rule_name": "description" }) |
sampling_rate | No | Plain only | 0–100; percentage of requests to evaluate (default: 100) |
timeout | No | Plain only | Execution timeout in seconds |
Regex
| Field | Required | env.* supported | Notes |
|---|---|---|---|
patterns | Yes | Plain only | Array of { pattern, description?, entity_type?, flags?, action?, redaction_strategy?, redaction_mode? } objects |
patterns[].action | No | Plain only | detect_only | block | redact (default: block) |
patterns[].redaction_strategy | No | Plain only | replace | mask | hash (default: replace) |
patterns[].redaction_mode | No | Plain only | runtime | logs_only | runtime_reversible (default: runtime) |
sampling_rate | No | Plain only | 0–100; percentage of requests to evaluate (default: 100) |
Secrets
| Field | Required | env.* supported | Notes |
|---|---|---|---|
ignored_secret_keywords | No | Plain only | String array of substrings used to suppress known false-positive secret matches |
action | No | Plain only | detect_only | block | redact (default: block) |
redaction_strategy | No | Plain only | replace | mask | hash (default: replace) |
redaction_mode | No | Plain only | runtime | logs_only | runtime_reversible (default: runtime) |
Rules
Rules are CEL expressions that fire when their condition is met. Available CEL variables:| Variable | Type | Description |
|---|---|---|
model | string | Model name from the request |
provider | string | Provider name (e.g. "openai") |
headers | map<string,string> | HTTP request headers |
params | map<string,string> | Query parameters |
customer | string | Customer ID |
team | string | Team ID |
user | string | User ID |
| Field | Required | Description |
|---|---|---|
id | Yes | Unique integer ID |
name | Yes | Human-readable name |
description | No | Optional description |
enabled | Yes | true to activate |
cel_expression | Yes | CEL boolean expression; "true" matches all requests |
apply_to | Yes | "input", "output", or "both" |
sampling_rate | No | 0–100; percentage of requests to check (default: 100) |
timeout | No | Rule timeout in seconds |
provider_config_ids | No | Provider ids to invoke when this rule matches |
bifrost:
guardrails:
rules:
- id: 101
name: "block-secrets-input"
description: "Block prompts containing API keys"
enabled: true
cel_expression: "true"
apply_to: "input"
sampling_rate: 100
timeout: 10
provider_config_ids: [1]
- id: 102
name: "azure-output-gpt4o"
description: "Scan GPT-4o responses"
enabled: true
cel_expression: "model == 'gpt-4o'"
apply_to: "output"
sampling_rate: 100
timeout: 15
provider_config_ids: [3]
- id: 103
name: "grayswan-openai-input"
enabled: true
cel_expression: "provider == 'openai'"
apply_to: "input"
sampling_rate: 50
timeout: 20
provider_config_ids: [5]
- id: 104
name: "strict-team-check"
enabled: true
cel_expression: "team == 'team-platform'"
apply_to: "both"
sampling_rate: 100
timeout: 30
provider_config_ids: [1, 3] # multiple providers run in parallel
Full example
# guardrails-values.yaml
image:
tag: "latest"
bifrost:
encryptionKeySecret:
name: "bifrost-encryption"
key: "encryption-key"
guardrails:
providers:
- id: 1
provider_name: "regex"
policy_name: "block-secrets"
enabled: true
timeout: 5
config:
patterns:
- pattern: "sk-[A-Za-z0-9]{20,}"
description: "OpenAI API key"
- pattern: "AKIA[0-9A-Z]{16}"
description: "AWS access key"
- pattern: "gh[ps]_[A-Za-z0-9]{36}"
description: "GitHub token"
- id: 2
provider_name: "azure"
policy_name: "content-safety"
enabled: true
timeout: 10
config:
endpoint: "env.AZURE_CONTENT_SAFETY_ENDPOINT"
api_key: "env.AZURE_CONTENT_SAFETY_KEY"
analyze_enabled: true
analyze_severity_threshold: "medium"
jailbreak_shield_enabled: true
indirect_attack_shield_enabled: false
copyright_enabled: false
text_blocklist_enabled: false
rules:
- id: 101
name: "block-secrets-input"
description: "Block prompts leaking credentials"
enabled: true
cel_expression: "true"
apply_to: "input"
sampling_rate: 100
timeout: 10
provider_config_ids: [1]
- id: 102
name: "content-safety-both"
description: "Azure content safety on input and output"
enabled: true
cel_expression: "true"
apply_to: "both"
sampling_rate: 100
timeout: 15
provider_config_ids: [2]
helm install bifrost bifrost/bifrost -f guardrails-values.yaml

