DataDog
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer-git-hook.rs‎
Lines changed: 20 additions & 20 deletions b/‎crates/bins/src/bin/datadog-static-analyzer-git-hook.rs‎
Lines changed: 20 additions & 20 deletions
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer.rs‎
Lines changed: 22 additions & 22 deletions b/‎crates/bins/src/bin/datadog-static-analyzer.rs‎
Lines changed: 22 additions & 22 deletions
diff --git a/‎crates/cli/src/config_file.rs‎
Lines changed: 3 additions & 6 deletions b/‎crates/cli/src/config_file.rs‎
Lines changed: 3 additions & 6 deletions
diff --git a/‎crates/cli/src/datadog_utils.rs‎
Lines changed: 2 additions & 2 deletions b/‎crates/cli/src/datadog_utils.rs‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎crates/static-analysis-kernel/src/arguments.rs‎
Lines changed: 14 additions & 12 deletions b/‎crates/static-analysis-kernel/src/arguments.rs‎
Lines changed: 14 additions & 12 deletions
@@ -272,38 +272,38 @@ fn main() -> Result<()> {
             exit(EXIT_CODE_INVALID_CONFIGURATION)
         }
     };
+    let sast_config = configuration_file.as_ref().and_then(|cfg| cfg.sast());
+
     let mut rules: Vec<Rule> = Vec::new();
     let rule_config_provider = configuration_file
         .as_ref()
         .map(RuleConfigProvider::from_config)
         .unwrap_or_default();
 
-    // A list of rulesets that were fetched due to being specifically listed in a ConfigFile::use_rulesets list.
-    let mut fetched_rulesets = Vec::<&str>::new();
+    // Rulesets to exclude when fetching default rulesets
+    let mut excluded_rulesets = Vec::<&str>::new();
     // if there is a configuration file, we load the rules from it. But it means
     // we cannot have the rule parameter given.
-    if let Some(conf) = &configuration_file {
+    if let Some(conf) = sast_config {
         ignore_gitignore = conf
             .global_config
             .as_ref()
             .and_then(|g| g.use_gitignore.map(|b| !b))
             .unwrap_or(false);
 
         if static_analysis_enabled {
-            if let Some(rulesets) = &conf.use_rulesets {
-                let rules_from_api = get_rules_from_rulesets(rulesets, use_staging, use_debug)
-                    .inspect_err(|e| {
-                        if let DatadogApiError::RulesetNotFound(rs) = e {
-                            eprintln!("Error: ruleset {rs} not found");
-                            exit(EXIT_CODE_RULESET_NOT_FOUND);
-                        }
-                    })
-                    .context("error when reading rules from API")?;
-                rules.extend(rules_from_api);
-                for r in rulesets {
-                    fetched_rulesets.push(r.as_str());
-                }
-            }
+            let explicit_rs = conf.explicit_rulesets().collect::<Vec<_>>();
+            let rules_from_api = get_rules_from_rulesets(&explicit_rs, use_staging, use_debug)
+                .inspect_err(|e| {
+                    if let DatadogApiError::RulesetNotFound(rs) = e {
+                        eprintln!("Error: ruleset {rs} not found");
+                        exit(EXIT_CODE_RULESET_NOT_FOUND);
+                    }
+                })
+                .context("error when reading rules from API")?;
+            rules.extend(rules_from_api);
+            excluded_rulesets.extend(explicit_rs);
+            excluded_rulesets.extend(conf.ignore_rulesets.iter().map(String::as_str));
         }
 
         // copy the only and ignore paths from the configuration file
@@ -328,7 +328,7 @@ fn main() -> Result<()> {
     if static_analysis_enabled {
         // if there is no config file, we take the default rules from our APIs.
 
-        if configuration_file.is_none() && use_debug {
+        if sast_config.is_none() && use_debug {
             println!("WARNING: no configuration file detected, getting the default rules from the Datadog API");
             println!("Check the following resources to configure your rules:");
             println!(
@@ -337,10 +337,10 @@ fn main() -> Result<()> {
             println!(" - Static analyzer repository on GitHub: https://github.com/DataDog/datadog-static-analyzer");
         }
 
-        let should_fetch = !matches!(&configuration_file, Some(config) if config.use_default_rulesets == Some(false));
+        let should_fetch = sast_config.is_none_or(|c| c.use_default_rulesets != Some(false));
         if should_fetch {
             let rulesets_from_api =
-                get_all_default_rulesets(use_staging, use_debug, &fetched_rulesets)
+                get_all_default_rulesets(use_staging, use_debug, &excluded_rulesets)
                     .context("cannot get default rules")?;
             rules.extend(rulesets_from_api.into_iter().flat_map(|rs| rs.into_rules()));
         }
 
@@ -279,8 +279,9 @@ fn main() -> Result<()> {
             exit(EXIT_CODE_INVALID_CONFIGURATION)
         }
     };
+    let sast_config = configuration_file.as_ref().and_then(|cfg| cfg.sast());
 
-    if configuration_file.is_none() && use_debug {
+    if sast_config.is_none() && use_debug {
         eprintln!("INFO: no configuration detected locally or remotely")
     }
 
@@ -290,11 +291,11 @@ fn main() -> Result<()> {
         .unwrap_or_default();
     let mut rules: Vec<Rule> = Vec::new();
 
-    // A list of rulesets that were fetched due to being specifically listed in a ConfigFile::use_rulesets list.
-    let mut fetched_rulesets = Vec::<&str>::new();
+    // Rulesets to exclude when fetching default rulesets
+    let mut excluded_rulesets = Vec::<&str>::new();
     // if there is a configuration file, we load the rules from it. But it means
     // we cannot have the rule parameter given.
-    if let Some(conf) = &configuration_file {
+    if let Some(conf) = sast_config {
         ignore_gitignore = conf
             .global_config
             .as_ref()
@@ -306,20 +307,18 @@ fn main() -> Result<()> {
         }
 
         if static_analysis_enabled {
-            if let Some(rulesets) = &conf.use_rulesets {
-                let rules_from_api = get_rules_from_rulesets(rulesets, use_staging, use_debug)
-                    .inspect_err(|e| {
-                        if let DatadogApiError::RulesetNotFound(rs) = e {
-                            eprintln!("Error: ruleset {rs} not found");
-                            exit(EXIT_CODE_RULESET_NOT_FOUND);
-                        }
-                    })
-                    .context("error when reading rules from API")?;
-                rules.extend(rules_from_api);
-                for r in rulesets {
-                    fetched_rulesets.push(r.as_str());
-                }
-            }
+            let explicit_rs = conf.explicit_rulesets().collect::<Vec<_>>();
+            let rules_from_api = get_rules_from_rulesets(&explicit_rs, use_staging, use_debug)
+                .inspect_err(|e| {
+                    if let DatadogApiError::RulesetNotFound(rs) = e {
+                        eprintln!("Error: ruleset {rs} not found");
+                        exit(EXIT_CODE_RULESET_NOT_FOUND);
+                    }
+                })
+                .context("error when reading rules from API")?;
+            rules.extend(rules_from_api);
+            excluded_rulesets.extend(explicit_rs);
+            excluded_rulesets.extend(conf.ignore_rulesets.iter().map(String::as_str));
         }
         // copy the only and ignore paths from the configuration file
         if let Some(pc) = conf.global_config.as_ref().and_then(|g| g.paths.as_ref()) {
@@ -343,18 +342,19 @@ fn main() -> Result<()> {
     if static_analysis_enabled {
         // if there is no config file, we take the default rules from our APIs.
         if rules_file.is_none() {
-            if configuration_file.is_none() {
-                println!("WARNING: no configuration file detected, getting the default rules from the Datadog API");
+            if sast_config.is_none() {
+                println!("WARNING: no SAST configuration detected, getting the default rules from the Datadog API");
                 println!("Check the following resources to configure your rules:");
                 println!(
                     " - Datadog documentation: https://docs.datadoghq.com/code_analysis/static_analysis"
                 );
                 println!(" - Static analyzer repository on GitHub: https://github.com/DataDog/datadog-static-analyzer");
             }
-            let should_fetch = !matches!(&configuration_file, Some(config) if config.use_default_rulesets == Some(false));
+
+            let should_fetch = sast_config.is_none_or(|c| c.use_default_rulesets != Some(false));
             if should_fetch {
                 let rulesets_from_api =
-                    get_all_default_rulesets(use_staging, use_debug, &fetched_rulesets)
+                    get_all_default_rulesets(use_staging, use_debug, &excluded_rulesets)
                         .context("cannot get default rules")?;
                 rules.extend(rulesets_from_api.into_iter().flat_map(|rs| rs.into_rules()));
             }
 
@@ -55,7 +55,7 @@ pub fn get_config(
         .transpose()?;
     let local_config: Option<file_v1::ConfigFile> = local_yaml.map(|v| match v {
         WithVersion::Legacy(legacy) => file_v1::YamlConfigFile::from(legacy).into(),
-        WithVersion::CodeSecurity(v2) => v2.into(),
+        WithVersion::CodeSecurity(v1) => v1.into(),
     });
 
     if !should_use_datadog_backend() {
@@ -95,7 +95,7 @@ pub fn get_config(
     let text = decode_base64_string(remote_config_base64)
         .context("error when decoding base64 remote config")?;
 
-    let res = parse_any_schema_yaml(&text).inspect_err(|err| {
+    let res = file_v1::parse_yaml(&text).inspect_err(|err| {
         if debug {
             eprintln!("Error when parsing remote config: {err:?}");
             eprintln!("Proceeding with local config");
@@ -104,10 +104,7 @@ pub fn get_config(
     let Ok(remote_yaml) = res else {
         return Ok(local_config.map(|c| (c, ConfigMethod::File)));
     };
-    let remote_config: file_v1::ConfigFile = match remote_yaml {
-        WithVersion::Legacy(legacy) => file_v1::YamlConfigFile::from(legacy).into(),
-        WithVersion::CodeSecurity(v2) => v2.into(),
-    };
+    let remote_config: file_v1::ConfigFile = remote_yaml.into();
 
     let config_method = if local_config.is_some() {
         ConfigMethod::RemoteConfigurationWithFile
 
@@ -76,12 +76,12 @@ pub fn get_secrets_rules(use_staging: bool) -> Result<Vec<SecretRule>> {
 
 // Get all the rules from different rulesets from Datadog
 pub fn get_rules_from_rulesets(
-    rulesets_name: &[String],
+    rulesets_name: &[&str],
     use_staging: bool,
     debug: bool,
 ) -> Result<Vec<Rule>> {
     let mut rules: Vec<Rule> = Vec::new();
-    for ruleset_name in rulesets_name {
+    for &ruleset_name in rulesets_name {
         rules.extend(get_ruleset(ruleset_name, use_staging, debug)?.into_rules());
     }
     Ok(rules)
 
@@ -52,18 +52,20 @@ impl ArgumentProvider {
 
     pub fn from(config: &file_v1::ConfigFile) -> Self {
         let mut provider = ArgumentProvider::new();
-        if let Some(rulesets) = &config.ruleset_configs {
-            for (ruleset_name, ruleset_cfg) in rulesets {
-                for (rule_shortname, rule_cfg) in &ruleset_cfg.rules {
-                    let rule_name = format!("{}/{}", ruleset_name, rule_shortname);
-                    for (arg_name, arg_values) in &rule_cfg.arguments {
-                        for (prefix, value) in arg_values.iter() {
-                            provider.add_argument(
-                                &rule_name,
-                                &prefix.into_iter().cloned().collect(),
-                                arg_name,
-                                value,
-                            );
+        if let Some(sast_config) = config.sast() {
+            if let Some(rulesets) = &sast_config.ruleset_configs {
+                for (ruleset_name, ruleset_cfg) in rulesets {
+                    for (rule_shortname, rule_cfg) in &ruleset_cfg.rules {
+                        let rule_name = format!("{}/{}", ruleset_name, rule_shortname);
+                        for (arg_name, arg_values) in &rule_cfg.arguments {
+                            for (prefix, value) in arg_values.iter() {
+                                provider.add_argument(
+                                    &rule_name,
+                                    &prefix.into_iter().cloned().collect(),
+                                    arg_name,
+                                    value,
+                                );
+                            }
                         }
                     }
                 }