Add Code Security v1.0 schema (vendored directly from https://github.com/datadog/schema)

jasonforal · jasonforal · commit b03d0e80d540 · 2026-03-05T17:43:13.000-05:00
diff --git a/schema/Makefile b/schema/Makefile
@@ -1,26 +1,17 @@
 all: test
 
-test: test-schema-valid test-schema-invalid test-legacy-valid test-legacy-invalid test-v2-valid test-v2-invalid
+test: test-v1.0-schema-valid test-v1.0-schema-invalid test-legacy-valid test-legacy-invalid
 
-examples-valid = $(1)/examples/valid/*.yml
-examples-invalid = $(1)/examples/invalid/*.yml
+test-v1.0-schema-valid:
+	npx --yes ajv-cli@5.0.0 test --spec=draft2020 -s sast/v1.0/validation.schema.json -r sast/v1.0/schema.json -d "tests/v1.0/valid/*.yml" --valid
 
-test-schema-valid:
-	npx --yes ajv-cli@5.0.0 test -s schema.json -r legacy/schema.json -d "$(call examples-valid,legacy)" --valid
-
-test-schema-invalid:
-	npx --yes ajv-cli@5.0.0 test -s schema.json -r legacy/schema.json -d "$(call examples-invalid,legacy)" --invalid
+test-v1.0-schema-invalid:
+	npx --yes ajv-cli@5.0.0 test --spec=draft2020 -s sast/v1.0/validation.schema.json -r sast/v1.0/schema.json -d "tests/v1.0/invalid/*.yml" --invalid
 
 test-legacy-valid:
-	npx --yes ajv-cli@5.0.0 test -s legacy/schema.json -d "$(call examples-valid,legacy)" --valid
+	npx --yes ajv-cli@5.0.0 test -s legacy/schema.json -d "legacy/examples/valid/*.yml" --valid
 
 test-legacy-invalid:
-	npx --yes ajv-cli@5.0.0 test -s legacy/schema.json -d "$(call examples-invalid,legacy)" --invalid
-
-test-v2-valid:
-	npx --yes ajv-cli@5.0.0 test -s v2/schema.json -d "$(call examples-valid,v2)" --valid
-
-test-v2-invalid:
-	npx --yes ajv-cli@5.0.0 test -s v2/schema.json -d "$(call examples-invalid,v2)" --invalid
+	npx --yes ajv-cli@5.0.0 test -s legacy/schema.json -d "legacy/examples/invalid/*.yml" --invalid
 
-.PHONY: test test-schema-valid test-schema-invalid test-legacy-valid test-legacy-invalid test-v2-valid test-v2-invalid
+.PHONY: test test-v1.0-schema-valid test-v1.0-schema-invalid test-legacy-valid test-legacy-invalid
diff --git a/schema/sast/v1.0/schema.json b/schema/sast/v1.0/schema.json
@@ -0,0 +1,179 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/sast/v1.0/schema.json",
+  "title": "Datadog SAST Configuration",
+  "type": "object",
+  "properties": {
+    "use-default-rulesets": {
+      "type": "boolean",
+      "default": true,
+      "description": "Enable Datadog's default rulesets. Defaults to true."
+    },
+    "use-rulesets": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "minLength": 1
+      },
+      "description": "List of rulesets to enable (in addition to defaults, if use-default-rulesets is true)."
+    },
+    "ignore-rulesets": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "minLength": 1
+      },
+      "description": "List of rulesets to disable. Takes precedence over default rulesets and those listed in use-rulesets."
+    },
+    "ruleset-configs": {
+      "type": "object",
+      "additionalProperties": {
+        "$ref": "#/$defs/rulesetConfig"
+      },
+      "description": "Per-ruleset configurations"
+    },
+    "global-config": {
+      "$ref": "#/$defs/globalConfig",
+      "description": "Global settings for the static analyzer."
+    }
+  },
+  "required": [],
+  "additionalProperties": false,
+  "$defs": {
+    "globalConfig": {
+      "type": "object",
+      "properties": {
+        "only-paths": {
+          "$ref": "#/$defs/pathList"
+        },
+        "ignore-paths": {
+          "$ref": "#/$defs/pathList"
+        },
+        "use-gitignore": {
+          "type": "boolean",
+          "default": true,
+          "description": "Use .gitignore to exclude files. Defaults to true."
+        },
+        "ignore-generated-files": {
+          "type": "boolean",
+          "default": true,
+          "description": "Ignore generated files. Defaults to true."
+        },
+        "max-file-size-kb": {
+          "type": "number",
+          "minimum": 0
+        }
+      },
+      "additionalProperties": false
+    },
+    "rulesetConfig": {
+      "type": "object",
+      "properties": {
+        "only-paths": {
+          "$ref": "#/$defs/pathList",
+          "description": "Paths to analyze for this ruleset."
+        },
+        "ignore-paths": {
+          "$ref": "#/$defs/pathList",
+          "description": "Paths to exclude for this ruleset."
+        },
+        "rule-configs": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/$defs/ruleConfig"
+          },
+          "description": "Per-rule configurations within this ruleset."
+        }
+      },
+      "additionalProperties": false
+    },
+    "ruleConfig": {
+      "type": "object",
+      "properties": {
+        "only-paths": {
+          "$ref": "#/$defs/pathList"
+        },
+        "ignore-paths": {
+          "$ref": "#/$defs/pathList"
+        },
+        "arguments": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/$defs/argumentValue"
+          }
+        },
+        "severity": {
+          "$ref": "#/$defs/severityValue"
+        },
+        "category": {
+          "enum": [
+            "BEST_PRACTICES",
+            "CODE_STYLE",
+            "ERROR_PRONE",
+            "PERFORMANCE",
+            "SECURITY"
+          ]
+        }
+      },
+      "additionalProperties": false
+    },
+    "pathList": {
+      "type": "array",
+      "items": {
+        "type": "string",
+        "minLength": 1
+      },
+      "description": "List of file paths or glob patterns."
+    },
+    "argumentValue": {
+      "anyOf": [
+        {
+          "$ref": "#/$defs/singularArgumentValue"
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/$defs/singularArgumentValue"
+          }
+        }
+      ],
+      "description": "Argument value (singular or by-path)."
+    },
+    "singularArgumentValue": {
+      "anyOf": [
+        {
+          "type": "string"
+        },
+        {
+          "type": "number",
+          "$comment": "will be internally coerced to string"
+        },
+        {
+          "type": "boolean",
+          "$comment": "will be internally coerced to string"
+        }
+      ]
+    },
+    "severityValue": {
+      "anyOf": [
+        {
+          "$ref": "#/$defs/singularSeverityValue"
+        },
+        {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/$defs/singularSeverityValue"
+          }
+        }
+      ]
+    },
+    "singularSeverityValue": {
+      "enum": [
+        "ERROR",
+        "WARNING",
+        "NOTICE",
+        "NONE"
+      ]
+    }
+  }
+}
diff --git a/schema/sast/v1.0/validation.schema.json b/schema/sast/v1.0/validation.schema.json
@@ -0,0 +1,22 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/sast/v1.0/validation.schema.json",
+  "title": "Datadog SAST Configuration Validation",
+  "description": "Validation for v1.x",
+  "type": "object",
+  "required": ["schema-version"],
+  "additionalProperties": false,
+  "properties": {
+    "schema-version": {
+      "type": "string",
+      "pattern": "^v1\\.\\d+$"
+    },
+    "sast": {
+      "$ref": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/sast/v1.0/schema.json"
+    },
+    "secrets": {},
+    "iac": {},
+    "sca": {},
+    "iast": {}
+  }
+}
diff --git a/schema/schema.json b/schema/schema.json
diff --git a/schema/tests/v1.0/invalid/unknown-field-root.yml b/schema/tests/v1.0/invalid/unknown-field-root.yml
@@ -0,0 +1,4 @@
+schema-version: v1.0
+
+sast:
+  some-field-not-defined-in-the-schema: true
diff --git a/schema/tests/v1.0/invalid/unknown-field-rule-config.yml b/schema/tests/v1.0/invalid/unknown-field-rule-config.yml
@@ -0,0 +1,8 @@
+schema-version: v1.0
+
+sast:
+  ruleset-configs:
+    java-security:
+      rule-configs:
+        sql-injection:
+          some-field-not-defined-in-the-schema: true
diff --git a/schema/tests/v1.0/invalid/unknown-field-ruleset-config.yml b/schema/tests/v1.0/invalid/unknown-field-ruleset-config.yml
@@ -0,0 +1,7 @@
+schema-version: v1.0
+
+sast:
+  ruleset-configs:
+    java-security:
+      some-field-not-defined-in-the-schema: true
+  
diff --git a/schema/tests/v1.0/invalid/unknown-global-config.yml b/schema/tests/v1.0/invalid/unknown-global-config.yml
@@ -0,0 +1,5 @@
+schema-version: v1.0
+
+sast:
+  global-config:
+    some-field-not-defined-in-the-schema: true
diff --git a/schema/tests/v1.0/valid/arguments.yml b/schema/tests/v1.0/valid/arguments.yml
@@ -0,0 +1,13 @@
+schema-version: v1.0
+
+sast:
+  ruleset-configs:
+    lorem_ipsum:
+      rule-configs:
+        dolor:
+          arguments:
+            sit_amet: "20"
+            consectetur:
+              /: 40
+              one/two/three/four: "80"
+  
diff --git a/schema/tests/v1.0/valid/complex.yml b/schema/tests/v1.0/valid/complex.yml
@@ -0,0 +1,38 @@
+schema-version: v1.0
+
+sast:
+  use-default-rulesets: false
+  use-rulesets:
+    - java-security
+    - python-security
+  
+  global-config:
+    only-paths:
+      - src/
+      - lib/
+    ignore-paths:
+      - "*/**/out/*.py"
+      - "**/vendor/"
+    use-gitignore: true
+    ignore-generated-files: true
+    max-file-size-kb: 500
+  
+  ruleset-configs:
+    python-security:
+      only-paths:
+        - "src/.py"
+      ignore-paths:
+        - tests/
+      rule-configs:
+        insecure-hash-functions:
+          severity: ERROR
+          arguments:
+            ignore-functions: "md5"
+  
+    java-best-practices:
+      rule-configs:
+        ssl-context:
+          only-paths:
+            - src/main/java/com/company/router
+          severity: WARNING
+  
diff --git a/schema/versions/v1.0/schema.json b/schema/versions/v1.0/schema.json
@@ -0,0 +1,29 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/versions/v1.0/schema.json",
+  "title": "Datadog Code Security Configuration v1.0",
+  "type": "object",
+  "required": ["schema-version"],
+  "additionalProperties": false,
+  "properties": {
+    "schema-version": {
+      "type": "string",
+      "const": "v1.0"
+    },
+    "sast": {
+      "$ref": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/sast/v1.0/schema.json"
+    },
+    "secrets": {
+      "$ref": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/secrets/v1.0/schema.json"
+    },
+    "iac": {
+      "$ref": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/iac/v1.0/schema.json"
+    },
+    "sca": {
+      "$ref": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/sca/v1.0/schema.json"
+    },
+    "iast": {
+      "$ref": "https://raw.githubusercontent.com/DataDog/schema/main/code-security/iast/v1.0/schema.json"
+    }
+  }
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +schema-version: v1.0
++
 +sast:
 +  some-field-not-defined-in-the-schema: true