Update secret scanning rule configuration docs #36671
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,45 @@ | ||||||||||||||
| --- | ||||||||||||||
| title: Rule Configuration | ||||||||||||||
| algolia: | ||||||||||||||
| tags: ['static analysis', 'ci pipeline', 'SAST', 'secret scanning'] | ||||||||||||||
| description: Reference documentation for Datadog Secret Scanning (SAST) configuration, covering rule CRUD. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
| --- | ||||||||||||||
|
|
||||||||||||||
| By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/library_rules/?category=Secrets+and+credentials). You can customize which rules run, modify default rules, and create custom rules in the ['Code' configuration page](https://app.datadoghq.com/sensitive-data-scanner/configuration/code) in SDS. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
| ## Scanning groups | ||||||||||||||
| There are 2 scanning groups that configure Secret Scanning rules. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
| ### Managed scanning group | ||||||||||||||
| The managed scanning group is managed by Datadog's security team. It automatically receives new rules and updates to rules, and is enabled by default for all organizations. | ||||||||||||||
|
|
||||||||||||||
| {{< img src="/code_security/secret_scanning/managed_scanning_group_not_customized.png" alt="Managed scanning group" style="width:100%;">}} | ||||||||||||||
|
|
||||||||||||||
| ### Custom rule scanning group | ||||||||||||||
| The custom scanning group is managed by user orgs. You can [create and test custom regex rules](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/custom_rules/) or add rules from the SDS rules library. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| {{< img src="/code_security/secret_scanning/custom_scanning_group.png" alt="Managed scanning group" style="width:100%;">}} | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| ## Configuring rules | ||||||||||||||
| ### Customizing default rules | ||||||||||||||
| You can customize the severity and keywords of managed default rules by hovering over the specific rule, then clicking the pencil icon at the right. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
| {{< img src="/code_security/secret_scanning/customize_default_rule.png" alt="Edit rule" style="width:100%;">}} | ||||||||||||||
|
|
||||||||||||||
| The edit dialog will pop up. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
| {{< img src="/code_security/secret_scanning/configure_default_rule.png" alt="Edit rule popup" style="width:100%;">}} | ||||||||||||||
|
|
||||||||||||||
| After editing the rule and pressing **Update** at the bottom right, the modified rule appears as **Customized** in the managed scanning group. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| {{< img src="/code_security/secret_scanning/disable_rule.png" alt="Customized secret scanning rule in managed group" style="width:100%;">}} | ||||||||||||||
|
|
||||||||||||||
| <div class="alert alert-info">Customized rules do not automatically receive severity/default keyword updates from Datadog's security team. To restore a rule to its managed state, hover over a customized rule and click the restore icon at the right. </div> | ||||||||||||||
|
|
||||||||||||||
| ### Creating custom rules | ||||||||||||||
| You can create custom rules in the custom scanning group. Click 'Add scanning rule' at the bottom or 'Add rule' at the top right, create your regex rule, then configure the severity and keywords. After they're enabled, new rules are scanned for in your repositories upon the next commit. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| {{< img src="/code_security/secret_scanning/add_to_custom.png" alt="Add rule to custom group" style="width:100%;">}} | ||||||||||||||
|
|
||||||||||||||
| You can update custom rules by hovering over the rule, then clicking the pencil icon at the right. | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| ### Disabling rules | ||||||||||||||
| Disable a rule by clicking the blue toggle on the right. | ||||||||||||||
|
|
||||||||||||||
| <div class="alert alert-info">Once a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning upon the next commit.</div> | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.