For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/api/latest/governance-controls/list-governance-controls.md. A documentation index is available at /llms.txt.

List governance controls

Note: This endpoint is in preview and is subject to change. If you have any feedback, contact Datadog support.

GET https://api.ap1.datadoghq.com/api/v2/governance/controlhttps://api.ap2.datadoghq.com/api/v2/governance/controlhttps://api.datadoghq.eu/api/v2/governance/controlhttps://api.ddog-gov.com/api/v2/governance/controlhttps://api.us2.ddog-gov.com/api/v2/governance/controlhttps://api.uk1.datadoghq.com/api/v2/governance/controlhttps://api.datadoghq.com/api/v2/governance/controlhttps://api.us3.datadoghq.com/api/v2/governance/controlhttps://api.us5.datadoghq.com/api/v2/governance/control

Overview

Retrieve the list of governance controls configured for the organization. Each control pairs a detection definition with the organization’s current detection, notification, and mitigation configuration, along with counts of active and mitigated detections.

Response

OK

A list of governance controls.

Expand All

Field

Type

Description

data [required]

[object]

An array of governance control resources.

attributes [required]

object

The attributes of a governance control.

active_detections_count [required]

int64

The number of active detections for the control.

category [required]

string

The value driver the control is grouped under, such as security or cost.

created_at [required]

date-time

The time the control configuration was created.

created_by [required]

string

The UUID of the user who created the control configuration.

description [required]

string

A human-readable description of what the control detects.

detection_frequency [required]

string

How often detections are evaluated for the control.

detection_parameters [required]

object

A free-form map of parameter names to their configured values.

detection_type [required]

string

The detection type that uniquely identifies the control.

feature_flags [required]

[string]

The feature flags that gate the control.

insights [required]

[string]

The insight slugs associated with the control.

last_detection_at [required]

date-time

The time of the most recent detection for the control. null when there are no detections.

mitigated_detections_count [required]

int64

The number of mitigated detections for the control.

mitigation_parameters [required]

object

A free-form map of parameter names to their configured values.

mitigation_type [required]

string

The configured mitigation type for the control. Empty when not configured.

mitigations [required]

[object]

The mitigations available for a control.

action_verb [required]

string

The verb describing the mitigation action, such as revoke or delete.

description [required]

string

A human-readable description of the mitigation.

execution_modes

[string]

The execution modes the mitigation supports, such as manual or automatic.

feature_flags [required]

[string]

The feature flags that gate the mitigation.

id [required]

string

The unique identifier of the mitigation.

manual_mitigation_warning [required]

string

A warning shown to the user before applying the mitigation manually.

permissions [required]

[string]

The permissions required to apply the mitigation.

requires_ai [required]

boolean

Whether the mitigation requires AI to be enabled.

supported_parameters [required]

[object]

An array of parameter definitions.

default_value [required]

The default value of the parameter. The JSON type depends on the parameter's type.

description [required]

string

A human-readable description of the parameter.

display_name [required]

string

The human-readable name of the parameter.

hidden [required]

boolean

Whether the parameter is hidden from the UI.

name [required]

string

The machine-readable name of the parameter.

required [required]

boolean

Whether the parameter must be provided.

supported_values [required]

[object]

The supported values for an enumerated parameter.

label [required]

string

The human-readable label for the value.

value [required]

string

The machine-readable value.

type [required]

string

The type of the parameter, such as integer, string, boolean, enum, or pattern_list.

title [required]

string

A short, human-readable name for the mitigation.

name [required]

string

Human-readable name of the control.

next_steps [required]

string

Guidance on the next steps to remediate detections for the control.

notification_frequency [required]

string

The configured notification frequency for the control. Empty when not configured.

notification_parameters [required]

object

A free-form map of parameter names to their configured values.

notification_type [required]

string

The configured notification type for the control. Empty when not configured.

priority [required]

string

The priority of the control, such as High.

product [required]

string

The product the control belongs to.

release_status [required]

string

The release status of the control, such as prod or beta.

resource_type [required]

string

The type of resource the control evaluates.

resource_type_display_name [required]

string

The human-readable name of the resource type.

supported_detection_parameters [required]

[object]

An array of parameter definitions.

default_value [required]

The default value of the parameter. The JSON type depends on the parameter's type.

description [required]

string

A human-readable description of the parameter.

display_name [required]

string

The human-readable name of the parameter.

hidden [required]

boolean

Whether the parameter is hidden from the UI.

name [required]

string

The machine-readable name of the parameter.

required [required]

boolean

Whether the parameter must be provided.

supported_values [required]

[object]

The supported values for an enumerated parameter.

label [required]

string

The human-readable label for the value.

value [required]

string

The machine-readable value.

type [required]

string

The type of the parameter, such as integer, string, boolean, enum, or pattern_list.

supported_notification_parameters [required]

[object]

An array of parameter definitions.

default_value [required]

The default value of the parameter. The JSON type depends on the parameter's type.

description [required]

string

A human-readable description of the parameter.

display_name [required]

string

The human-readable name of the parameter.

hidden [required]

boolean

Whether the parameter is hidden from the UI.

name [required]

string

The machine-readable name of the parameter.

required [required]

boolean

Whether the parameter must be provided.

supported_values [required]

[object]

The supported values for an enumerated parameter.

label [required]

string

The human-readable label for the value.

value [required]

string

The machine-readable value.

type [required]

string

The type of the parameter, such as integer, string, boolean, enum, or pattern_list.

task [required]

string

A short description of the remediation task for the control.

type [required]

string

The control type, such as Proactive or Detection.

usage_concern [required]

string

The usage concern the control addresses, such as Security or Cost Optimization.

id [required]

string

The unique identifier of the control.

type [required]

enum

JSON:API resource type for a governance control. Allowed enum values: governance_control

{
  "data": [
    {
      "attributes": {
        "active_detections_count": 12,
        "category": "security",
        "created_at": "2024-01-15T09:30:00Z",
        "created_by": "11111111-2222-3333-4444-555555555555",
        "description": "Identifies API keys that have not been used within your specified time threshold, helping reduce security risks from dormant credentials.",
        "detection_frequency": "daily",
        "detection_parameters": {},
        "detection_type": "unused_api_keys",
        "feature_flags": [
          []
        ],
        "insights": [
          []
        ],
        "last_detection_at": "2024-03-01T12:00:00Z",
        "mitigated_detections_count": 3,
        "mitigation_parameters": {},
        "mitigation_type": "revoke_api_key",
        "mitigations": [
          {
            "action_verb": "revoke",
            "description": "Automatically identifies and revokes inactive API keys to improve security and reduce potential attack surface.",
            "execution_modes": [
              "manual",
              "automatic"
            ],
            "feature_flags": [
              []
            ],
            "id": "revoke_api_key",
            "manual_mitigation_warning": "These API keys will be revoked immediately upon confirmation. To revoke future API keys, you must go through this flow again.",
            "permissions": [
              "api_keys_write",
              "api_keys_delete"
            ],
            "requires_ai": false,
            "supported_parameters": [
              {
                "default_value": 30,
                "description": "Number of days of inactivity before an API key is considered unused.",
                "display_name": "Unused API Key Threshold",
                "hidden": false,
                "name": "api_key_threshold",
                "required": false,
                "supported_values": [
                  {
                    "label": "30 days",
                    "value": "thirty"
                  }
                ],
                "type": "integer"
              }
            ],
            "title": "Revoke Unused API Keys"
          }
        ],
        "name": "Unused API Keys",
        "next_steps": "Review and revoke API keys that are no longer in use to maintain a secure authentication posture.",
        "notification_frequency": "",
        "notification_parameters": {},
        "notification_type": "",
        "priority": "High",
        "product": "api_keys",
        "release_status": "prod",
        "resource_type": "api_key",
        "resource_type_display_name": "API Key",
        "supported_detection_parameters": [
          {
            "default_value": 30,
            "description": "Number of days of inactivity before an API key is considered unused.",
            "display_name": "Unused API Key Threshold",
            "hidden": false,
            "name": "api_key_threshold",
            "required": false,
            "supported_values": [
              {
                "label": "30 days",
                "value": "thirty"
              }
            ],
            "type": "integer"
          }
        ],
        "supported_notification_parameters": [
          {
            "default_value": 30,
            "description": "Number of days of inactivity before an API key is considered unused.",
            "display_name": "Unused API Key Threshold",
            "hidden": false,
            "name": "api_key_threshold",
            "required": false,
            "supported_values": [
              {
                "label": "30 days",
                "value": "thirty"
              }
            ],
            "type": "integer"
          }
        ],
        "task": "Review and revoke unused API keys.",
        "type": "Proactive",
        "usage_concern": "Security"
      },
      "id": "0d4e6f8a-1b2c-3d4e-5f6a-7b8c9d0e1f2a",
      "type": "governance_control"
    }
  ]
}

Bad Request

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Unauthorized

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Forbidden

API error response.

Expand All

Field

Type

Description

errors [required]

[object]

A list of errors.

detail

string

A human-readable explanation specific to this occurrence of the error.

meta

object

Non-standard meta-information about the error

source

object

References to the source of the error.

header

string

A string indicating the name of a single request header which caused the error.

parameter

string

A string indicating which URI query parameter caused the error.

pointer

string

A JSON pointer to the value in the request document that caused the error.

status

string

Status code of the response.

title

string

Short human-readable summary of the error.

{
  "errors": [
    {
      "detail": "Missing required attribute in body",
      "meta": {},
      "source": {
        "header": "Authorization",
        "parameter": "limit",
        "pointer": "/data/attributes/title"
      },
      "status": "400",
      "title": "Bad Request"
    }
  ]
}

Too many requests

API error response.

Expand All

Field

Type

Description

errors [required]

[string]

A list of errors.

{
  "errors": [
    "Bad Request"
  ]
}

Code Example

                  # Curl command
curl -X GET "https://api.ap1.datadoghq.com"https://api.ap2.datadoghq.com"https://api.datadoghq.eu"https://api.ddog-gov.com"https://api.us2.ddog-gov.com"https://api.uk1.datadoghq.com"https://api.datadoghq.com"https://api.us3.datadoghq.com"https://api.us5.datadoghq.com/api/v2/governance/control" \ -H "Accept: application/json" \ -H "DD-API-KEY: ${DD_API_KEY}" \ -H "DD-APPLICATION-KEY: ${DD_APP_KEY}"
"""
List governance controls returns "OK" response
"""

from datadog_api_client import ApiClient, Configuration
from datadog_api_client.v2.api.governance_controls_api import GovernanceControlsApi

configuration = Configuration()
configuration.unstable_operations["list_governance_controls"] = True
with ApiClient(configuration) as api_client:
    api_instance = GovernanceControlsApi(api_client)
    response = api_instance.list_governance_controls()

    print(response)

Instructions

First install the library and its dependencies and then save the example to example.py and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comuk1.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" python3 "example.py"
# List governance controls returns "OK" response

require "datadog_api_client"
DatadogAPIClient.configure do |config|
  config.unstable_operations["v2.list_governance_controls".to_sym] = true
end
api_instance = DatadogAPIClient::V2::GovernanceControlsAPI.new
p api_instance.list_governance_controls()

Instructions

First install the library and its dependencies and then save the example to example.rb and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comuk1.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" rb "example.rb"
// List governance controls returns "OK" response

package main

import (
	"context"
	"encoding/json"
	"fmt"
	"os"

	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
)

func main() {
	ctx := datadog.NewDefaultContext(context.Background())
	configuration := datadog.NewConfiguration()
	configuration.SetUnstableOperationEnabled("v2.ListGovernanceControls", true)
	apiClient := datadog.NewAPIClient(configuration)
	api := datadogV2.NewGovernanceControlsApi(apiClient)
	resp, r, err := api.ListGovernanceControls(ctx)

	if err != nil {
		fmt.Fprintf(os.Stderr, "Error when calling `GovernanceControlsApi.ListGovernanceControls`: %v\n", err)
		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
	}

	responseContent, _ := json.MarshalIndent(resp, "", "  ")
	fmt.Fprintf(os.Stdout, "Response from `GovernanceControlsApi.ListGovernanceControls`:\n%s\n", responseContent)
}

Instructions

First install the library and its dependencies and then save the example to main.go and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comuk1.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" go run "main.go"
// List governance controls returns "OK" response

import com.datadog.api.client.ApiClient;
import com.datadog.api.client.ApiException;
import com.datadog.api.client.v2.api.GovernanceControlsApi;
import com.datadog.api.client.v2.model.GovernanceControlsResponse;

public class Example {
  public static void main(String[] args) {
    ApiClient defaultClient = ApiClient.getDefaultApiClient();
    defaultClient.setUnstableOperationEnabled("v2.listGovernanceControls", true);
    GovernanceControlsApi apiInstance = new GovernanceControlsApi(defaultClient);

    try {
      GovernanceControlsResponse result = apiInstance.listGovernanceControls();
      System.out.println(result);
    } catch (ApiException e) {
      System.err.println("Exception when calling GovernanceControlsApi#listGovernanceControls");
      System.err.println("Status code: " + e.getCode());
      System.err.println("Reason: " + e.getResponseBody());
      System.err.println("Response headers: " + e.getResponseHeaders());
      e.printStackTrace();
    }
  }
}

Instructions

First install the library and its dependencies and then save the example to Example.java and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comuk1.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" java "Example.java"
// List governance controls returns "OK" response
use datadog_api_client::datadog;
use datadog_api_client::datadogV2::api_governance_controls::GovernanceControlsAPI;

#[tokio::main]
async fn main() {
    let mut configuration = datadog::Configuration::new();
    configuration.set_unstable_operation_enabled("v2.ListGovernanceControls", true);
    let api = GovernanceControlsAPI::with_config(configuration);
    let resp = api.list_governance_controls().await;
    if let Ok(value) = resp {
        println!("{:#?}", value);
    } else {
        println!("{:#?}", resp.unwrap_err());
    }
}

Instructions

First install the library and its dependencies and then save the example to src/main.rs and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comuk1.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" cargo run
/**
 * List governance controls returns "OK" response
 */

import { client, v2 } from "@datadog/datadog-api-client";

const configuration = client.createConfiguration();
configuration.unstableOperations["v2.listGovernanceControls"] = true;
const apiInstance = new v2.GovernanceControlsApi(configuration);

apiInstance
  .listGovernanceControls()
  .then((data: v2.GovernanceControlsResponse) => {
    console.log(
      "API called successfully. Returned data: " + JSON.stringify(data)
    );
  })
  .catch((error: any) => console.error(error));

Instructions

First install the library and its dependencies and then save the example to example.ts and run following commands:

    
DD_SITE="datadoghq.comus3.datadoghq.comus5.datadoghq.comdatadoghq.euap1.datadoghq.comap2.datadoghq.comuk1.datadoghq.comddog-gov.comus2.ddog-gov.com" DD_API_KEY="<API-KEY>" DD_APP_KEY="<APP-KEY>" tsc "example.ts"