Rule Configuration

Docs > Datadog Security > Code Security > Secret Scanning > Rule Configuration

By default, Datadog Secret Scanning scans enabled repositories with all rules in the Secrets & Credentials category of Sensitive Data Scanner. You can customize which rules run, modify default rules, and create custom rules on the Code configuration page in SDS.

Scanning groups

There are two scanning groups that configure Secret Scanning rules.

Managed scanning group

The managed scanning group is managed by Datadog’s security team. It automatically receives new rules and updates to rules, and is enabled by default for all organizations.

Custom rule scanning group

The custom scanning group is managed by user orgs. You can create and test custom regex rules or add rules from the SDS rules library.

Configuring rules

Customizing default rules

To customize the severity and keywords of a managed default rule, hover over the rule and click the pencil icon on the right.

The edit dialog opens.

After editing the rule and clicking Update at the bottom right, the modified rule appears as Customized in the managed scanning group.

Customized secret scanning rule in managed group

Customized rules do not automatically receive severity/default keyword updates from Datadog's security team. To restore a rule to its managed state, hover over a customized rule and click the restore icon at the right.

Creating custom rules

To create a custom rule, go to the custom scanning group and click Add scanning rule at the bottom or Add rule at the top right. Create your regex rule, then configure the severity and keywords. After they’re enabled, your repositories are scanned with the new rules on the next commit.

To update a custom rule, hover over the rule and click the pencil icon on the right.

Disabling rules

Disable a rule by clicking the blue toggle on the right.

After a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning on the next commit.