Overview
BanSubstrings is an output scanner that detects and optionally redacts banned substrings from LLM responses, including a built-in set of jailbreak indicator strings.
Description
The BanSubstrings output scanner is a thin wrapper around the corresponding input scanner InputBanSubstrings. It scans LLM outputs for the presence of specified substrings and flags or redacts them. The scanner supports multiple matching modes through the MatchType enum: exact string matching (STR), word-boundary matching, and regex-based matching. It also exports OUTPUT_STOP_SUBSTRINGS, a pre-defined list of jailbreak indicator substrings commonly found in compromised LLM outputs. The contains_all parameter determines whether all substrings must be present (logical AND) or any single match is sufficient (logical OR) to trigger detection. When redact is enabled, matched substrings are removed from the output text.
Usage
Use this scanner to block specific words, phrases, or patterns from appearing in LLM outputs. Common use cases include filtering profanity, blocking proprietary terms, detecting jailbreak indicators using the built-in OUTPUT_STOP_SUBSTRINGS, and enforcing content policies. The regex matching mode is particularly useful for complex pattern detection.
Code Reference
Source Location
Signature
class BanSubstrings(Scanner):
def __init__(
self,
substrings: list[str],
*,
match_type: MatchType | str = MatchType.STR,
case_sensitive: bool = False,
redact: bool = False,
contains_all: bool = False,
) -> None: ...
def scan(self, prompt: str, output: str) -> tuple[str, bool, float]: ...
Import
from llm_guard.output_scanners import BanSubstrings
I/O Contract
Inputs
| Name |
Type |
Required |
Description
|
| prompt |
str |
Yes |
The input prompt
|
| output |
str |
Yes |
The LLM output to scan for banned substrings
|
Constructor Parameters
| Name |
Type |
Required |
Default |
Description
|
| substrings |
list[str] |
Yes |
N/A |
List of substrings to ban from the output
|
| match_type |
str |
No |
MatchType.STR |
Matching strategy (STR, WORD, or REGEX)
|
| case_sensitive |
bool |
No |
False |
Whether matching should be case-sensitive
|
| redact |
bool |
No |
False |
Whether to redact matched substrings from the output
|
| contains_all |
bool |
No |
False |
If True, all substrings must be present to trigger; if False, any single match triggers
|
Outputs
| Name |
Type |
Description
|
| sanitized_output |
str |
The output with banned substrings optionally redacted
|
| is_valid |
bool |
Whether the output passed the scan (True if no banned substrings found)
|
| risk_score |
float |
Risk score (-1.0 to 1.0)
|
Usage Examples
Basic Usage
from llm_guard.output_scanners import BanSubstrings
from llm_guard.output_scanners.ban_substrings import OUTPUT_STOP_SUBSTRINGS
# Use built-in jailbreak indicators
scanner = BanSubstrings(
substrings=OUTPUT_STOP_SUBSTRINGS,
match_type="str",
case_sensitive=False,
redact=False,
)
prompt = "Tell me a joke"
output = "Sure! Here is a joke for you."
sanitized_output, is_valid, risk_score = scanner.scan(prompt, output)
if not is_valid:
print(f"Banned substring detected (risk: {risk_score})")
else:
print("Output is clean")
Custom Substrings with Redaction
from llm_guard.output_scanners import BanSubstrings
scanner = BanSubstrings(
substrings=["confidential", "internal only", "do not share"],
match_type="str",
case_sensitive=False,
redact=True,
)
prompt = "Summarize the document"
output = "This confidential report shows quarterly earnings."
sanitized_output, is_valid, risk_score = scanner.scan(prompt, output)
print(sanitized_output) # "confidential" will be redacted
Related Pages
