> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getbifrost.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# Guardrails
> Configure guardrails providers and rules in Bifrost Helm deployments
Guardrails are an **enterprise-only** feature. They require the enterprise Bifrost image.
Credential and endpoint fields in guardrail provider `config` blocks support `env.*` references (e.g. `env.AWS_SECRET_ACCESS_KEY`). Bifrost resolves the value from the process environment at startup. See the [Environment Variable Support](#environment-variable-support) section for the complete per-provider field list.
Guardrails are configured under `bifrost.guardrails` in your values file. The configuration has two parts:
* **`providers`** - the backend that performs the check. Rules link to providers by `id`.
* **`rules`** - CEL expressions that control when and where providers are invoked.
***
## Providers
Runs entirely in-process with no external dependency. Patterns use RE2 syntax. Supports optional per-pattern flags: `i` (case-insensitive), `m` (multiline), `s` (dot-all).
```yaml theme={null}
bifrost:
guardrails:
providers:
- id: 1
provider_name: "regex"
policy_name: "block-secrets"
enabled: true
timeout: 5
config:
patterns:
- pattern: "sk-[A-Za-z0-9]{20,}"
description: "OpenAI API key"
- pattern: "AKIA[0-9A-Z]{16}"
description: "AWS access key"
flags: "i"
- pattern: "gh[ps]_[A-Za-z0-9]{36}"
description: "GitHub token"
sampling_rate: 100
```
The Web UI's PII Detection template is also a `regex` provider configuration. See [Custom Regex](/enterprise/guardrails/custom-regex) for the full `config.json` and Helm examples.
Runs entirely in-process with no external dependency. Uses the embedded default Gitleaks rules to detect leaked credentials, API keys, tokens, private keys, and similar secret-shaped values.
```yaml theme={null}
bifrost:
guardrails:
providers:
- id: 2
provider_name: "secrets"
policy_name: "block-leaked-credentials"
enabled: true
timeout: 5
config:
ignored_secret_keywords:
- "example"
- "dummy"
- "sample-token"
```
`ignored_secret_keywords` is optional. It suppresses a detection when the matched secret value contains one of the listed substrings. Keep these values narrow so real leaked credentials are not hidden.
Supports three auth modes: `keys` (static credentials), `api_key` (Bedrock API key), and `iam_role` (ambient IAM/IRSA - no explicit credentials required).
```yaml theme={null}
bifrost:
guardrails:
providers:
- id: 2
provider_name: "bedrock"
policy_name: "content-filter"
enabled: true
timeout: 15
config:
# Required fields
guardrail_arn: "env.BEDROCK_GUARDRAIL_ARN"
guardrail_version: "DRAFT" # or a published version number
region: "env.AWS_REGION"
# Auth: keys (default)
auth_type: "keys"
access_key: "env.AWS_ACCESS_KEY_ID"
secret_key: "env.AWS_SECRET_ACCESS_KEY"
session_token: "env.AWS_SESSION_TOKEN" # optional
# Auth: api_key (alternative)
# auth_type: "api_key"
# bedrock_api_key: "env.BEDROCK_API_KEY"
# Auth: iam_role (ambient - no credentials needed)
# auth_type: "iam_role"
# role_arn: "env.AWS_ROLE_ARN" # optional: assume specific role
# external_id: "env.AWS_EXTERNAL_ID" # optional
# session_name: "env.AWS_SESSION_NAME" # optional
sampling_rate: 100
```
Supports three auth modes: `api_key`, `default_credential` (managed identity / Azure CLI), and `entra_id` (service principal).
```yaml theme={null}
bifrost:
guardrails:
providers:
- id: 3
provider_name: "azure"
policy_name: "azure-content-safety"
enabled: true
timeout: 10
config:
# Required field
endpoint: "env.AZURE_CONTENT_SAFETY_ENDPOINT"
# Auth: api_key (default)
auth_type: "api_key"
api_key: "env.AZURE_CONTENT_SAFETY_KEY"
# Auth: default_credential (managed identity / Azure CLI - no credentials needed)
# auth_type: "default_credential"
# Auth: entra_id (service principal)
# auth_type: "entra_id"
# client_id: "env.AZURE_CLIENT_ID"
# client_secret: "env.AZURE_CLIENT_SECRET"
# tenant_id: "env.AZURE_TENANT_ID"
# Feature toggles (plain booleans - no env.* support)
analyze_enabled: true
analyze_severity_threshold: "medium" # low | medium | high (env.* supported)
jailbreak_shield_enabled: true
indirect_attack_shield_enabled: true
copyright_enabled: false
text_blocklist_enabled: false
blocklist_names: []
sampling_rate: 100
```
```yaml theme={null}
bifrost:
guardrails:
providers:
- id: 4
provider_name: "patronus-ai"
policy_name: "patronus-eval"
enabled: true
timeout: 30
config:
api_key: "env.PATRONUS_API_KEY"
environment: "production" # production | development (env.* supported)
sampling_rate: 100
```
```yaml theme={null}
bifrost:
guardrails:
providers:
- id: 5
provider_name: "grayswan"
policy_name: "grayswan-jailbreak"
enabled: true
timeout: 15
config:
api_key: "env.GRAYSWAN_API_KEY"
base_url: "env.GRAYSWAN_BASE_URL" # optional custom endpoint (env.* supported)
reasoning_mode: "standard" # standard | fast | off (env.* supported)
# Plain-value fields (no env.* support)
violation_threshold: 0.7 # 0.0–1.0; higher = more permissive
policy_id: "" # optional: single policy ID
policy_ids: [] # optional: multiple policy IDs
rules: {} # optional: inline rule map
sampling_rate: 100
```
***
## Environment Variable Support
Any field marked **env.\* supported** below accepts a bare `"env.VAR_NAME"` string in addition to a literal value. Bifrost resolves the variable from the process environment at startup. Fields marked **plain only** must be a literal value (boolean, number, array, or string).
### AWS Bedrock
| Field | Required | env.\* supported | Notes |
| ------------------- | ----------- | ---------------- | -------------------------------------------------------------- |
| `guardrail_arn` | Yes | Yes | ARN of the Bedrock guardrail |
| `guardrail_version` | Yes | Yes | `"DRAFT"` or a published version number |
| `region` | Yes | Yes | AWS region (e.g. `"us-east-1"`) |
| `auth_type` | No | Yes | `"keys"` (default) \| `"api_key"` \| `"iam_role"` |
| `access_key` | Conditional | Yes | Required when `auth_type="keys"` |
| `secret_key` | Conditional | Yes | Required when `auth_type="keys"` |
| `session_token` | No | Yes | Optional temporary session token |
| `bedrock_api_key` | Conditional | Yes | Required when `auth_type="api_key"` |
| `role_arn` | No | Yes | IAM role ARN to assume (optional, `auth_type="iam_role"`) |
| `external_id` | No | Yes | External ID for role assumption |
| `session_name` | No | Yes | Session name for role assumption |
| `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
| `timeout` | No | **Plain only** | Execution timeout in seconds |
### Azure Content Safety
| Field | Required | env.\* supported | Notes |
| -------------------------------- | ----------- | ---------------- | --------------------------------------------------------------- |
| `endpoint` | Yes | Yes | Azure Content Safety resource URL |
| `auth_type` | No | Yes | `"api_key"` (default) \| `"default_credential"` \| `"entra_id"` |
| `api_key` | Conditional | Yes | Required when `auth_type="api_key"` |
| `client_id` | Conditional | Yes | Required when `auth_type="entra_id"` |
| `client_secret` | Conditional | Yes | Required when `auth_type="entra_id"` |
| `tenant_id` | Conditional | Yes | Required when `auth_type="entra_id"` |
| `analyze_severity_threshold` | No | Yes | `"low"` \| `"medium"` \| `"high"` (default: `"medium"`) |
| `analyze_enabled` | No | **Plain only** | Enable text analysis (default: `true`) |
| `jailbreak_shield_enabled` | No | **Plain only** | Enable jailbreak detection (default: `false`) |
| `indirect_attack_shield_enabled` | No | **Plain only** | Enable indirect attack detection (default: `false`) |
| `copyright_enabled` | No | **Plain only** | Enable copyright detection (default: `false`) |
| `text_blocklist_enabled` | No | **Plain only** | Enable custom blocklists (default: `false`) |
| `scopes` | No | **Plain only** | OAuth scopes (string array) |
| `blocklist_names` | No | **Plain only** | Blocklist names to apply (string array) |
| `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
| `timeout` | No | **Plain only** | Execution timeout in seconds |
### Patronus AI
| Field | Required | env.\* supported | Notes |
| --------------- | -------- | ---------------- | -------------------------------------------------------------- |
| `api_key` | Yes | Yes | Patronus AI API key |
| `environment` | No | Yes | `"production"` (default) \| `"development"` |
| `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
| `timeout` | No | **Plain only** | Execution timeout in seconds |
### Gray Swan
| Field | Required | env.\* supported | Notes |
| --------------------- | -------- | ---------------- | -------------------------------------------------------------- |
| `api_key` | Yes | Yes | Gray Swan API key |
| `base_url` | No | Yes | Custom API base URL (uses Gray Swan default if unset) |
| `reasoning_mode` | No | Yes | `"standard"` \| `"fast"` \| `"off"` (default: `"standard"`) |
| `violation_threshold` | No | **Plain only** | `0.0`–`1.0`; higher = more permissive (default: `0.5`) |
| `policy_id` | No | **Plain only** | Single policy ID string |
| `policy_ids` | No | **Plain only** | Multiple policy IDs (string array) |
| `rules` | No | **Plain only** | Inline rule map (`{ "rule_name": "description" }`) |
| `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
| `timeout` | No | **Plain only** | Execution timeout in seconds |
### Regex
| Field | Required | env.\* supported | Notes |
| --------------- | -------- | ---------------- | -------------------------------------------------------------- |
| `patterns` | Yes | **Plain only** | Array of `{ pattern, description?, flags? }` objects |
| `sampling_rate` | No | **Plain only** | `0`–`100`; percentage of requests to evaluate (default: `100`) |
### Secrets
| Field | Required | env.\* supported | Notes |
| ------------------------- | -------- | ---------------- | ------------------------------------------------------------------------------- |
| `ignored_secret_keywords` | No | **Plain only** | String array of substrings used to suppress known false-positive secret matches |
***
## Rules
Rules are CEL expressions that fire when their condition is met. Available CEL variables:
| Variable | Type | Description |
| ---------- | -------------------- | ------------------------------- |
| `model` | `string` | Model name from the request |
| `provider` | `string` | Provider name (e.g. `"openai"`) |
| `headers` | `map` | HTTP request headers |
| `params` | `map` | Query parameters |
| `customer` | `string` | Customer ID |
| `team` | `string` | Team ID |
| `user` | `string` | User ID |
Rule fields:
| Field | Required | Description |
| --------------------- | -------- | --------------------------------------------------------- |
| `id` | Yes | Unique integer ID |
| `name` | Yes | Human-readable name |
| `description` | No | Optional description |
| `enabled` | Yes | `true` to activate |
| `cel_expression` | Yes | CEL boolean expression; `"true"` matches all requests |
| `apply_to` | Yes | `"input"`, `"output"`, or `"both"` |
| `sampling_rate` | No | `0`–`100`; percentage of requests to check (default: 100) |
| `timeout` | No | Rule timeout in seconds |
| `provider_config_ids` | No | Provider `id`s to invoke when this rule matches |
```yaml theme={null}
bifrost:
guardrails:
rules:
- id: 101
name: "block-secrets-input"
description: "Block prompts containing API keys"
enabled: true
cel_expression: "true"
apply_to: "input"
sampling_rate: 100
timeout: 10
provider_config_ids: [1]
- id: 102
name: "azure-output-gpt4o"
description: "Scan GPT-4o responses"
enabled: true
cel_expression: "model == 'gpt-4o'"
apply_to: "output"
sampling_rate: 100
timeout: 15
provider_config_ids: [3]
- id: 103
name: "grayswan-openai-input"
enabled: true
cel_expression: "provider == 'openai'"
apply_to: "input"
sampling_rate: 50
timeout: 20
provider_config_ids: [5]
- id: 104
name: "strict-team-check"
enabled: true
cel_expression: "team == 'team-platform'"
apply_to: "both"
sampling_rate: 100
timeout: 30
provider_config_ids: [1, 3] # multiple providers run in parallel
```
***
## Full example
```yaml theme={null}
# guardrails-values.yaml
image:
tag: "latest"
bifrost:
encryptionKeySecret:
name: "bifrost-encryption"
key: "encryption-key"
guardrails:
providers:
- id: 1
provider_name: "regex"
policy_name: "block-secrets"
enabled: true
timeout: 5
config:
patterns:
- pattern: "sk-[A-Za-z0-9]{20,}"
description: "OpenAI API key"
- pattern: "AKIA[0-9A-Z]{16}"
description: "AWS access key"
- pattern: "gh[ps]_[A-Za-z0-9]{36}"
description: "GitHub token"
- id: 2
provider_name: "azure"
policy_name: "content-safety"
enabled: true
timeout: 10
config:
endpoint: "env.AZURE_CONTENT_SAFETY_ENDPOINT"
api_key: "env.AZURE_CONTENT_SAFETY_KEY"
analyze_enabled: true
analyze_severity_threshold: "medium"
jailbreak_shield_enabled: true
indirect_attack_shield_enabled: false
copyright_enabled: false
text_blocklist_enabled: false
rules:
- id: 101
name: "block-secrets-input"
description: "Block prompts leaking credentials"
enabled: true
cel_expression: "true"
apply_to: "input"
sampling_rate: 100
timeout: 10
provider_config_ids: [1]
- id: 102
name: "content-safety-both"
description: "Azure content safety on input and output"
enabled: true
cel_expression: "true"
apply_to: "both"
sampling_rate: 100
timeout: 15
provider_config_ids: [2]
```
```bash theme={null}
helm install bifrost bifrost/bifrost -f guardrails-values.yaml
```