Update secret scanning rule configuration docs#36671
Open
michellesdawg wants to merge 9 commits into
Open
Conversation
Contributor
Preview links (active after the
|
Contributor
drichards-87
left a comment
drichards-87
left a comment
There was a problem hiding this comment.
Reviewing as a technical writer for Datadog docs. Most fixes are below as inline suggestions you can commit individually (or batch). There's also one larger multi-line suggestion that rewrites the body of configuration.md in one shot — converting inline links to reference-style (Datadog convention), making URLs site-relative, adding blank lines around headings, and applying every smaller style fix in this review. Use that one-click path if you'd rather take everything at once; otherwise cherry-pick the individual suggestions.
A few items that can't be inline suggestions, flagged here:
- Unused image:
static/images/code_security/secret_scanning/managed_scanning_group.pngis committed but never referenced in the page (the page usesmanaged_scanning_group_not_customized.png). Either delete the unused file or reference it. - URL/menu mismatch (blocker): See the suggestion on the menu line. The file path and the menu URL don't agree, so the sidebar link will 404 as-is.
- Consider
further_readingin the frontmatter pointing at the SDS rules library and the Secret Scanning index, matching the pattern in_index.md. - Consider an
aliases:entry if any existing internal links or marketing material reference/configuration/or/rule_configuration/.
| title: Rule Configuration | ||
| algolia: | ||
| tags: ['static analysis', 'ci pipeline', 'SAST', 'secret scanning'] | ||
| description: Reference documentation for Datadog Secret Scanning (SAST) configuration, covering rule CRUD. |
Contributor
There was a problem hiding this comment.
Suggested change
| description: Reference documentation for Datadog Secret Scanning (SAST) configuration, covering rule CRUD. | |
| description: Configure rules for Datadog Secret Scanning, including managed default rules and custom regex rules. |
|
|
||
| By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/library_rules/?category=Secrets+and+credentials). You can customize which rules run, modify default rules, and create custom rules in the ['Code' configuration page](https://app.datadoghq.com/sensitive-data-scanner/configuration/code) in SDS. | ||
| ## Scanning groups | ||
| There are 2 scanning groups that configure Secret Scanning rules. |
Contributor
There was a problem hiding this comment.
Suggested change
| There are 2 scanning groups that configure Secret Scanning rules. | |
| There are two scanning groups that configure Secret Scanning rules. |
| ### Custom rule scanning group | ||
| The custom scanning group is managed by user orgs. You can [create and test custom regex rules](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/custom_rules/) or add rules from the SDS rules library. | ||
|
|
||
| {{< img src="/code_security/secret_scanning/custom_scanning_group.png" alt="Managed scanning group" style="width:100%;">}} |
Contributor
There was a problem hiding this comment.
Suggested change
| {{< img src="/code_security/secret_scanning/custom_scanning_group.png" alt="Managed scanning group" style="width:100%;">}} | |
| {{< img src="/code_security/secret_scanning/custom_scanning_group.png" alt="Custom scanning group" style="width:100%;">}} |
|
|
||
| ## Configuring rules | ||
| ### Customizing default rules | ||
| You can customize the severity and keywords of managed default rules by hovering over the specific rule, then clicking the pencil icon at the right. |
Contributor
There was a problem hiding this comment.
Suggested change
| You can customize the severity and keywords of managed default rules by hovering over the specific rule, then clicking the pencil icon at the right. | |
| To customize the severity and keywords of a managed default rule, hover over the rule and click the pencil icon on the right. |
| You can customize the severity and keywords of managed default rules by hovering over the specific rule, then clicking the pencil icon at the right. | ||
| {{< img src="/code_security/secret_scanning/customize_default_rule.png" alt="Edit rule" style="width:100%;">}} | ||
|
|
||
| The edit dialog will pop up. |
Contributor
There was a problem hiding this comment.
Suggested change
| The edit dialog will pop up. | |
| The edit dialog opens. |
| The edit dialog will pop up. | ||
| {{< img src="/code_security/secret_scanning/configure_default_rule.png" alt="Edit rule popup" style="width:100%;">}} | ||
|
|
||
| After editing the rule and pressing **Update** at the bottom right, the modified rule appears as **Customized** in the managed scanning group. |
Contributor
There was a problem hiding this comment.
Suggested change
| After editing the rule and pressing **Update** at the bottom right, the modified rule appears as **Customized** in the managed scanning group. | |
| After editing the rule and clicking **Update** at the bottom right, the modified rule appears as **Customized** in the managed scanning group. |
| <div class="alert alert-info">Customized rules do not automatically receive severity/default keyword updates from Datadog's security team. To restore a rule to its managed state, hover over a customized rule and click the restore icon at the right. </div> | ||
|
|
||
| ### Creating custom rules | ||
| You can create custom rules in the custom scanning group. Click 'Add scanning rule' at the bottom or 'Add rule' at the top right, create your regex rule, then configure the severity and keywords. After they're enabled, new rules are scanned for in your repositories upon the next commit. |
Contributor
There was a problem hiding this comment.
Suggested change
| You can create custom rules in the custom scanning group. Click 'Add scanning rule' at the bottom or 'Add rule' at the top right, create your regex rule, then configure the severity and keywords. After they're enabled, new rules are scanned for in your repositories upon the next commit. | |
| To create a custom rule, go to the custom scanning group and click **Add scanning rule** at the bottom or **Add rule** at the top right. Create your regex rule, then configure the severity and keywords. After they're enabled, your repositories are scanned with the new rules on the next commit. |
|
|
||
| {{< img src="/code_security/secret_scanning/add_to_custom.png" alt="Add rule to custom group" style="width:100%;">}} | ||
|
|
||
| You can update custom rules by hovering over the rule, then clicking the pencil icon at the right. |
Contributor
There was a problem hiding this comment.
Suggested change
| You can update custom rules by hovering over the rule, then clicking the pencil icon at the right. | |
| To update a custom rule, hover over the rule and click the pencil icon on the right. |
| ### Disabling rules | ||
| Disable a rule by clicking the blue toggle on the right. | ||
|
|
||
| <div class="alert alert-info">Once a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning upon the next commit.</div> |
Contributor
There was a problem hiding this comment.
Suggested change
| <div class="alert alert-info">Once a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning upon the next commit.</div> | |
| <div class="alert alert-info">After a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning on the next commit.</div> |
| weight: 2 | ||
| - name: Rule Configuration | ||
| identifier: sec_secret_scanning_configuration | ||
| url: /security/code_security/secret_scanning/rule_configuration/ |
Contributor
There was a problem hiding this comment.
Suggested change
| url: /security/code_security/secret_scanning/rule_configuration/ | |
| url: /security/code_security/secret_scanning/configuration/ |
| description: Reference documentation for Datadog Secret Scanning (SAST) configuration, covering rule CRUD. | ||
| --- | ||
|
|
||
| By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/library_rules/?category=Secrets+and+credentials). You can customize which rules run, modify default rules, and create custom rules in the ['Code' configuration page](https://app.datadoghq.com/sensitive-data-scanner/configuration/code) in SDS. |
Contributor
There was a problem hiding this comment.
Suggested change
| By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/library_rules/?category=Secrets+and+credentials). You can customize which rules run, modify default rules, and create custom rules in the ['Code' configuration page](https://app.datadoghq.com/sensitive-data-scanner/configuration/code) in SDS. | |
| By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner][1]. You can customize which rules run, modify default rules, and create custom rules on the [**Code** configuration page][2] in SDS. |
| {{< img src="/code_security/secret_scanning/managed_scanning_group_not_customized.png" alt="Managed scanning group" style="width:100%;">}} | ||
|
|
||
| ### Custom rule scanning group | ||
| The custom scanning group is managed by user orgs. You can [create and test custom regex rules](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/custom_rules/) or add rules from the SDS rules library. |
Contributor
There was a problem hiding this comment.
Suggested change
| The custom scanning group is managed by user orgs. You can [create and test custom regex rules](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/custom_rules/) or add rules from the SDS rules library. | |
| The custom scanning group is managed by user orgs. You can [create and test custom regex rules][3] or add rules from the SDS rules library. |
| ### Disabling rules | ||
| Disable a rule by clicking the blue toggle on the right. | ||
|
|
||
| <div class="alert alert-info">Once a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning upon the next commit.</div> |
Contributor
There was a problem hiding this comment.
Suggested change
| <div class="alert alert-info">Once a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning upon the next commit.</div> | |
| <div class="alert alert-info">Once a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning upon the next commit.</div> | |
| [1]: /security/sensitive_data_scanner/scanning_rules/library_rules/?category=Secrets+and+credentials | |
| [2]: https://app.datadoghq.com/sensitive-data-scanner/configuration/code | |
| [3]: /security/sensitive_data_scanner/scanning_rules/custom_rules/ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do? What is the motivation?
Merge instructions
Merge readiness:
For Datadog employees:
Your branch name MUST follow the
<name>/<description>convention and include the forward slash (/). Without this format, your pull request will not pass CI, the GitLab pipeline will not run, and you won't get a branch preview. Getting a branch preview makes it easier for us to check any issues with your PR, such as broken links.If your branch doesn't follow this format, rename it or create a new branch and PR.
[6/5/2025] Merge queue has been disabled on the documentation repo. If you have write access to the repo, the PR has been reviewed by a Documentation team member, and all of the required checks have passed, you can use the Squash and Merge button to merge the PR. If you don't have write access, or you need help, reach out in the #documentation channel in Slack.
AI assistance
Additional notes