Merge branch 'main' into alonam/IDE-5719_secret_scanning_optimizations

alonam · web-flow · commit b0468e88ecff · 2026-03-08T12:24:58.000+02:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,11 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      gh-actions-packages:
+        patterns:
+          - "*"
diff --git a/.github/workflows/check-regressions.yml b/.github/workflows/check-regressions.yml
@@ -35,16 +35,16 @@ jobs:
       DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
       DD_SITE: ${{ vars.DD_SITE }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           ref: main
 
       # This can be changed to the `set-up-rust` composite action after it lands on main.
       - name: Set up Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1.10.1
+        uses: actions-rust-lang/setup-rust-toolchain@11df97af8e8102fd60b60a77dfbf58d40cd843b8
 
       - name: Checkout test repositories
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           repository: ${{ matrix.repo.org }}/${{ matrix.repo.name }}
           path: ${{ matrix.repo.org }}/${{ matrix.repo.name }}
@@ -82,14 +82,14 @@ jobs:
         run: node ./.github/scripts/check-regressions.js ${{ matrix.repo.org }}/${{ matrix.repo.name }} result-pre.json result-post.json
 
       - name: Upload unique changes from before
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         if: steps.regression.outputs.diff1files != ''
         with:
           name: failures-before-${{ matrix.repo.org }}-${{ matrix.repo.name }}
           path: ${{ steps.regression.outputs.diff1files }}
 
       - name: Upload unique changes from after
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         if: steps.regression.outputs.diff2files != ''
         with:
           name: failures-after-${{ matrix.repo.org }}-${{ matrix.repo.name }}
diff --git a/.github/workflows/coverage.yaml.yml b/.github/workflows/coverage.yaml.yml
@@ -8,11 +8,11 @@ jobs:
     env:
       CARGO_TERM_COLOR: always
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       - name: Install Rust
         run: rustup update stable
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@cargo-llvm-cov
+        uses: taiki-e/install-action@d50ec1d40c9c7a251e48a8f8810527d411553bdc
       - name: Generate code coverage
         run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
       - name: Upload coverage to Datadog
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -28,10 +28,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Set up Docker BuildKit
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Build Docker image for ${{ matrix.platform }}
         run: |
diff --git a/.github/workflows/ghcr.yml b/.github/workflows/ghcr.yml
@@ -24,26 +24,26 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       # Set the current SHA as the version so that it's exposed on the server.
       - name: Set the version
         shell: bash
         run: sed "s/development/$GITHUB_SHA/g" crates/static-analysis-kernel/src/constants.rs > bla && rm crates/static-analysis-kernel/src/constants.rs && mv bla crates/static-analysis-kernel/src/constants.rs
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           flavor: |
@@ -55,7 +55,7 @@ jobs:
 
       - name: Build and push Docker image
         id: push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           context: .
           push: true
diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
@@ -35,7 +35,7 @@ jobs:
           - { file: './misc/integration-test-secrets.sh', gha_alias: 'Secrets' }
     name: Run integration test - ${{ matrix.scripts.gha_alias }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - uses: ./.github/actions/set-up-rust
       - name: Execute script
         run: ${{ matrix.scripts.file }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
       is-production: ${{ steps.set-var.outputs.is-production }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
@@ -79,14 +79,14 @@ jobs:
           git config --global --add safe.directory $GITHUB_WORKSPACE
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - uses: ./.github/actions/set-up-rust
         with:
           target: ${{ matrix.target }}
 
       - name: Install cross-compilation tools
-        uses: taiki-e/setup-cross-toolchain-action@v1
+        uses: taiki-e/setup-cross-toolchain-action@b8d1a322a6009a2b7220f53996695778eef89b41 # v1
         with:
           target: ${{ matrix.target }}
 
@@ -121,7 +121,7 @@ jobs:
           move *.zip ..\..\..\
 
       - name: Upload assets
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: ${{ matrix.target }}
           path: |
@@ -146,12 +146,12 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
 
       - name: Download build artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           path: artifacts
 
diff --git a/.github/workflows/rust.yaml b/.github/workflows/rust.yaml
@@ -31,15 +31,15 @@ jobs:
       DD_SITE: ${{ vars.DD_SITE }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - uses: ./.github/actions/set-up-rust
 
       - name: Fetch dependencies
         run: cargo fetch
 
       - name: Run cargo ${{ matrix.cargo_cmd.cmd_name }} ${{ matrix.cargo_cmd.args }}
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1
         with:
           command: ${{ matrix.cargo_cmd.cmd_name }}
           args: ${{ matrix.cargo_cmd.args }}
diff --git a/.github/workflows/sca.yml b/.github/workflows/sca.yml
@@ -11,7 +11,7 @@ jobs:
     name: Datadog SBOM Generation and Upload
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
     - uses: ./.github/actions/set-up-rust
     - name: cargo install sbom
       run: cargo install --version 0.8.4 cargo-sbom
@@ -23,7 +23,7 @@ jobs:
         cargo sbom --cargo-package static-analysis-server --output-format cyclone_dx_json_1_4 > static-analysis-server.json
     - name: Generate SBOM and Upload
       id: software-composition-analysis
-      uses: DataDog/datadog-sca-github-action@main
+      uses: DataDog/datadog-sca-github-action@2cc1486ee1b07318ba608b86e40d124efa76ddb5 # main
       with:
         dd_api_key: ${{ secrets.DD_API_KEY }}
         dd_app_key: ${{ secrets.DD_APP_KEY }}
diff --git a/.github/workflows/test-rules.yaml b/.github/workflows/test-rules.yaml
@@ -16,7 +16,7 @@ jobs:
     outputs:
       languages: ${{ steps.extract.outputs.languages }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - id: extract
         name: Extract languages from file
         run: |
@@ -55,7 +55,7 @@ jobs:
       DD_SITE: datadoghq.com
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - uses: ./.github/actions/set-up-rust
 
diff --git a/.github/workflows/verify-schema.yaml b/.github/workflows/verify-schema.yaml
@@ -10,7 +10,7 @@ jobs:
   test_json_schema:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       - run: make -C schema
diff --git a/.github/workflows/versions-check.yaml b/.github/workflows/versions-check.yaml
@@ -10,6 +10,6 @@ jobs:
   integration_tests:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Ensure versions
         run: python -mjson.tool versions.json >/dev/null
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -42,6 +42,7 @@ test-and-build-arm64:
     - python3 misc/test-rules.py -c $PWD/target/release/datadog-static-analyzer -s $PWD/target/release/datadog-static-analyzer-server -l python
   variables:
     DD_SITE: datadoghq.com
+    CARGO_HUSKY_DONT_INSTALL_HOOKS: "true"
   tags:
     - arch:arm64
 
@@ -66,6 +67,7 @@ test-and-build-amd64:
     - python3 misc/test-rules.py -c $PWD/target/release/datadog-static-analyzer -s $PWD/target/release/datadog-static-analyzer-server -l python
   variables:
     DD_SITE: datadoghq.com
+    CARGO_HUSKY_DONT_INSTALL_HOOKS: "true"
   tags:
     - arch:amd64
 
diff --git a/crates/bins/src/bin/datadog-static-analyzer-git-hook.rs b/crates/bins/src/bin/datadog-static-analyzer-git-hook.rs
@@ -439,6 +439,7 @@ fn main() -> Result<()> {
     }
 
     // This must be called _after_ `initialize_v8` (otherwise, PKU-related segfaults on Linux will occur).
+    // Stack size is set explicitly to 64MB for the dd-sds scanner's regex matching depth.
     rayon::ThreadPoolBuilder::new()
         .num_threads(configuration.get_num_threads())
         .build_global()?;
diff --git a/crates/bins/src/bin/datadog-static-analyzer-server.rs b/crates/bins/src/bin/datadog-static-analyzer-server.rs
@@ -23,6 +23,7 @@ async fn main() {
     V8_PLATFORM.set(v8).expect("cell should have been unset");
 
     // This must be called _after_ `initialize_v8` (otherwise, PKU-related segfaults on Linux will occur).
+    // Stack size is set explicitly to 64MB for the dd-sds scanner's regex matching depth.
     let rayon_pool = rayon::ThreadPoolBuilder::new()
         .num_threads(0)
         .build()
diff --git a/crates/bins/src/bin/datadog-static-analyzer.rs b/crates/bins/src/bin/datadog-static-analyzer.rs
@@ -529,9 +529,14 @@ fn main() -> Result<()> {
     }
 
     // This must be called _after_ `initialize_v8` (otherwise, PKU-related segfaults on Linux will occur).
-    rayon::ThreadPoolBuilder::new()
-        .num_threads(configuration.get_num_threads())
-        .build_global()?;
+    // When secrets scanning is enabled, set the stack size to 64MB to accommodate the dd-sds
+    // scanner's regex matching depth.
+    let mut thread_pool_builder =
+        rayon::ThreadPoolBuilder::new().num_threads(configuration.get_num_threads());
+    if secrets_enabled {
+        thread_pool_builder = thread_pool_builder.stack_size(64 * 1024 * 1024);
+    }
+    thread_pool_builder.build_global()?;
 
     let files_filtered_by_size = filter_files_by_size(&files_in_repository, &configuration);
 
