DataDog
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion b/‎Cargo.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 5 additions & 5 deletions b/‎README.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer-git-hook.rs‎
Lines changed: 2 additions & 2 deletions b/‎crates/bins/src/bin/datadog-static-analyzer-git-hook.rs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer-server.rs‎
Lines changed: 6 additions & 0 deletions b/‎crates/bins/src/bin/datadog-static-analyzer-server.rs‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer.rs‎
Lines changed: 2 additions & 2 deletions b/‎crates/bins/src/bin/datadog-static-analyzer.rs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/bins/src/bin/datadog_static_analyzer_server/endpoints.rs‎
Lines changed: 24 additions & 16 deletions b/‎crates/bins/src/bin/datadog_static_analyzer_server/endpoints.rs‎
Lines changed: 24 additions & 16 deletions
@@ -33,7 +33,7 @@ indexmap = { version = "2.11", features = ["serde"] }
 itertools = "0.14.0"
 derive_builder = "0.12"
 serde = { version = "1", features = ["derive"] }
-serde_json = "1.0"
+serde_json = { version = "1.0", features = ["raw_value"] }
 serde-sarif = "0.4"
 serde_yaml = "0.9.21"
 sha2 = "0.10.9"
 
@@ -184,7 +184,7 @@ The map in the `arguments` field uses an argument's name as its key, and the val
 An annotated example of a configuration file:
 
 ```yaml
-# This is a "v1" configuration file.
+# This is a legacy "v1" configuration file.
 schema-version: v1
 # The list of rulesets to enable for this repository.
 rulesets:
@@ -275,14 +275,14 @@ max-file-size-kb: 256
 
 ## Configuration file schema
 
-There is a JSON Schema definition for the `static-analysis.datadog.yml` in the `schema` subdirectory.
+There is a JSON Schema definition for the `static-analysis.datadog.yml` in the `schema/legacy` subdirectory.
 
 You can use it to check the syntax of your configuration file:
 
-1. Execute `npx --yes [email protected] validate -s schema/schema.json -r 'schema/*/*.json' -d path/to/your/static-analysis.datadog.yml`
+1. Execute `npx --yes [email protected] validate -s schema/legacy/schema.json -r 'schema/legacy/examples/*/*.json' -d path/to/your/static-analysis.datadog.yml`
 
-There are some examples of valid and invalid configuration files in the [`schema/v1/examples/valid`](schema/v1/examples/valid)
-and [`schema/v1/examples/invalid`](schema/v1/examples/invalid) subdirectories, respectively. If you make changes to the JSON
+There are some examples of valid and invalid configuration files in the [`schema/legacy/examples/valid`](schema/legacy/examples/valid)
+and [`schema/legacy/examples/invalid`](schema/legacy/examples/invalid) subdirectories, respectively. If you make changes to the JSON
 Schema, you can test them against our examples:
 
 1. Execute `make -C schema`
 
@@ -26,7 +26,7 @@ use itertools::Itertools;
 use kernel::analysis::ddsa_lib::v8_platform::{initialize_v8, Initialized, V8Platform};
 use kernel::classifiers::ArtifactClassification;
 use kernel::config::common::{ConfigMethod, PathConfig};
-use kernel::config::file_v2;
+use kernel::config::file_v1;
 use kernel::constants::{CARGO_VERSION, VERSION};
 use kernel::model::common::OutputFormat::Json;
 use kernel::model::rule::{Rule, RuleResult};
@@ -257,7 +257,7 @@ fn main() -> Result<()> {
     let configuration_file_and_method = get_config(directory_to_analyze.as_str(), use_debug);
 
     let (configuration_file, configuration_method): (
-        Option<file_v2::ConfigFile>,
+        Option<file_v1::ConfigFile>,
         Option<ConfigMethod>,
     ) = match configuration_file_and_method {
         Ok(cfg) => match cfg {
 
@@ -3,6 +3,7 @@
 // Copyright 2024 Datadog, Inc.
 
 use crate::datadog_static_analyzer_server::rule_cache::RuleCache;
+use crate::datadog_static_analyzer_server::secret_scanner_cache::SecretScannerCache;
 use kernel::analysis::ddsa_lib::v8_platform::{initialize_v8, Initialized, V8Platform};
 use std::sync::OnceLock;
 
@@ -11,6 +12,7 @@ mod datadog_static_analyzer_server;
 pub(crate) static V8_PLATFORM: OnceLock<V8Platform<Initialized>> = OnceLock::new();
 pub(crate) static RAYON_POOL: OnceLock<rayon::ThreadPool> = OnceLock::new();
 pub(crate) static RULE_CACHE: OnceLock<RuleCache> = OnceLock::new();
+pub(crate) static SECRET_SCANNER_CACHE: OnceLock<SecretScannerCache> = OnceLock::new();
 
 #[rocket::main]
 async fn main() {
@@ -30,5 +32,9 @@ async fn main() {
         .set(rayon_pool)
         .expect("cell should have been unset");
 
+    SECRET_SCANNER_CACHE
+        .set(SecretScannerCache::new())
+        .expect("cell should have been unset");
+
     datadog_static_analyzer_server::start().await;
 }
@@ -35,7 +35,7 @@ use kernel::analysis::ddsa_lib::v8_platform::{initialize_v8, Initialized, V8Plat
 use kernel::analysis::generated_content::DEFAULT_IGNORED_GLOBS;
 use kernel::classifiers::ArtifactClassification;
 use kernel::config::common::{ConfigMethod, PathConfig};
-use kernel::config::file_v2;
+use kernel::config::file_v1;
 use kernel::constants::{CARGO_VERSION, VERSION};
 use kernel::model::common::OutputFormat;
 use kernel::model::rule::{Rule, RuleSeverity};
@@ -264,7 +264,7 @@ fn main() -> Result<()> {
     let configuration_file_and_method = get_config(directory_to_analyze.as_str(), use_debug);
 
     let (configuration_file, configuration_method): (
-        Option<file_v2::ConfigFile>,
+        Option<file_v1::ConfigFile>,
         Option<ConfigMethod>,
     ) = match configuration_file_and_method {
         Ok(cfg) => match cfg {
 
@@ -3,7 +3,7 @@ use std::path::Path;
 
 use crate::datadog_static_analyzer_server::fairings::TraceSpan;
 use crate::datadog_static_analyzer_server::rule_cache::cached_analysis_request;
-use crate::{RAYON_POOL, RULE_CACHE, V8_PLATFORM};
+use crate::{RAYON_POOL, RULE_CACHE, SECRET_SCANNER_CACHE, V8_PLATFORM};
 use kernel::analysis::ddsa_lib::JsRuntime;
 use rocket::{
     fs::NamedFile,
@@ -153,7 +153,10 @@ async fn analyze(
     .unwrap()
 }
 
-fn process_secret_scan_request(request: SecretScanRequest) -> Result<Vec<SecretResult>, String> {
+fn process_secret_scan_request(
+    request: SecretScanRequest,
+    cache: Option<&super::secret_scanner_cache::SecretScannerCache>,
+) -> Result<Vec<SecretResult>, String> {
     // Maximum number of rules per request to prevent excessive CPU usage.
     const MAX_RULES_COUNT: usize = 1000;
 
@@ -174,16 +177,20 @@ fn process_secret_scan_request(request: SecretScanRequest) -> Result<Vec<SecretR
         return Err("Invalid filename: path traversal detected".to_string());
     }
 
-    // Deserialize rules from JSON
-    let rules: Vec<secrets::model::secret_rule::SecretRule> = request
-        .rules
-        .iter()
-        .map(|r| serde_json::from_value(r.clone()))
-        .collect::<Result<Vec<_>, _>>()
-        .map_err(|e| format!("Failed to parse rules: {}", e))?;
-
-    // Build the scanner with the provided rules
-    let scanner = secrets::scanner::build_sds_scanner(&rules, request.use_debug)?;
+    // Get scanner + parsed rules (from cache or fresh build)
+    let (scanner, rules) = if let Some(cache) = cache {
+        cache.get_or_build(&request.rules, request.use_debug)?
+    } else {
+        // No cache - build from scratch
+        let rules: Vec<secrets::model::secret_rule::SecretRule> = request
+            .rules
+            .iter()
+            .map(|r| serde_json::from_str(r.get()))
+            .collect::<Result<Vec<_>, _>>()
+            .map_err(|e| format!("Failed to parse rules: {}", e))?;
+        let scanner = secrets::scanner::build_sds_scanner(&rules, request.use_debug)?;
+        (std::sync::Arc::new(scanner), std::sync::Arc::new(rules))
+    };
 
     // Configure analysis options
     let options = common::analysis_options::AnalysisOptions {
@@ -210,10 +217,11 @@ async fn scan_secrets(span: TraceSpan, request: Json<SecretScanRequest>) -> Valu
 
     rocket::tokio::task::spawn_blocking(move || {
         let request = request.into_inner();
-        let (rule_responses, errors) = match process_secret_scan_request(request) {
-            Ok(resp) => (resp, vec![]),
-            Err(err) => (vec![], vec![err]),
-        };
+        let (rule_responses, errors) =
+            match process_secret_scan_request(request, SECRET_SCANNER_CACHE.get()) {
+                Ok(resp) => (resp, vec![]),
+                Err(err) => (vec![], vec![err]),
+            };
 
         json!(SecretScanResponse {
             rule_responses,