Author | Sander Stad (@sqlstad, sqlstad.nl) |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Invoke-DbaDbPiiScan on GitHub.
Want to see the Bill Of Health for this command? Check out Invoke-DbaDbPiiScan.
Command to return any columns that could potentially contain PII (Personal Identifiable Information)
This command will go through the tables in your database and assess each column.
It will first check the columns names if it was named in such a way that it would indicate PII.
The next thing that it will do is pattern recognition by looking into the data from the table.
Custom scan definitions can be specified using the formats seen in
Invoke-DbaDbPiiScan
[[-SqlInstance] <DbaInstanceParameter[]>]
[[-SqlCredential] <PSCredential>]
[[-Database] <String[]>]
[[-Table] <String[]>]
[[-Column] <String[]>]
[[-Country] <String[]>]
[[-CountryCode] <String[]>]
[[-ExcludeTable] <String[]>]
[[-ExcludeColumn] <String[]>]
[[-SampleCount] <Int32>]
[[-KnownNameFilePath] <String>]
[[-PatternFilePath] <String>]
[-ExcludeDefaultKnownName]
[-ExcludeDefaultPattern]
[-EnableException]
[<CommonParameters>]
PS > Invoke-DbaDbPiiScan -SqlInstance sql1 -Database db1
Scan the database db1 on instance sql1
PS > Invoke-DbaDbPiiScan -SqlInstance sql1, sql2 -Database db1, db2
Scan multiple databases on multiple instances
PS > Invoke-DbaDbPiiScan -SqlInstance sql1 -Database db2 -ExcludeColumn firstname
Scan database db2 but exclude the column firstname
PS > Invoke-DbaDbPiiScan -SqlInstance sql1 -Database db2 -CountryCode US
Scan database db2 but only apply data patterns used for the United States
PS > Invoke-DbaDbPiiScan -SqlInstance sql1 -Database db1 -PatternFilePath c:\pii\patterns.json
Scans db1 on instance sql1 with additional custom patterns
PS > Invoke-DbaDbPiiScan -SqlInstance sql1 -Database db1 -PatternFilePath c:\pii\patterns.json -ExcludeDefaultPattern
Scans db1 on instance sql1 with additional custom patterns, excluding the default patterns
The target SQL Server instance or instances.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory - Integrated are all supported.
For MFA support, please use Connect-DbaInstance.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies the databases to scan for potential PII data. Required parameter - at least one database must be specified.
Use this to target specific databases rather than scanning entire SQL Server instances.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Limits the scan to specific tables within the target databases. Accepts multiple table names.
Use this when you need to focus PII scanning on known tables containing sensitive data rather than scanning all tables.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Restricts the scan to specific columns within the target tables. Accepts multiple column names.
Use this when you want to validate specific columns suspected of containing PII or to recheck previously identified columns.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Filters PII pattern matching to specific countries using full country names (e.g., "United States", "Canada").
Use this when your data contains region-specific formats like phone numbers or postal codes that should only match certain countries.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Filters PII pattern matching to specific countries using ISO country codes (e.g., "US", "CA", "GB").
Use this for more precise regional filtering when you know the specific country codes for your data regions.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Prevents scanning of specified tables even if they would otherwise be included in the scan scope.
Use this to skip known system tables, staging tables, or tables confirmed to not contain PII data.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Prevents scanning of specified columns even if they would otherwise be included in the scan scope.
Use this to skip columns like timestamps, IDs, or other fields confirmed to not contain PII data.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Sets the number of data rows to examine per column for pattern matching. Default is 100 rows.
Increase this value for more thorough scanning of large tables, or decrease it to speed up scans of tables with consistent data patterns.
Alias | |
Required | False |
Pipeline | false |
Default Value | 100 |
Specifies a JSON file path containing custom column name patterns that indicate PII data.
Use this to add organization-specific column naming conventions that should be flagged as potential PII beyond the default patterns.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Specifies a JSON file path containing custom regex patterns for identifying PII data within column values.
Use this to add custom data patterns specific to your organization or industry that aren't covered by the default patterns.
Alias | |
Required | False |
Pipeline | false |
Default Value |
Disables the built-in column name patterns for PII detection, using only custom patterns if provided.
Use this when the default column name patterns generate too many false positives for your specific database schema conventions.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
Disables the built-in data value patterns for PII detection, using only custom patterns if provided.
Use this when the default data patterns don't match your data formats or generate excessive false positives.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |