DataDog
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer-git-hook.rs‎
Lines changed: 51 additions & 20 deletions b/‎crates/bins/src/bin/datadog-static-analyzer-git-hook.rs‎
Lines changed: 51 additions & 20 deletions
diff --git a/‎crates/bins/src/bin/datadog-static-analyzer.rs‎
Lines changed: 56 additions & 29 deletions b/‎crates/bins/src/bin/datadog-static-analyzer.rs‎
Lines changed: 56 additions & 29 deletions
diff --git a/‎crates/cli/src/config_file.rs‎
Lines changed: 15 additions & 8 deletions b/‎crates/cli/src/config_file.rs‎
Lines changed: 15 additions & 8 deletions
diff --git a/‎crates/cli/src/datadog_utils.rs‎
Lines changed: 12 additions & 3 deletions b/‎crates/cli/src/datadog_utils.rs‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎crates/static-analysis-kernel/src/analysis/analyze.rs‎
Lines changed: 26 additions & 14 deletions b/‎crates/static-analysis-kernel/src/analysis/analyze.rs‎
Lines changed: 26 additions & 14 deletions
@@ -3,10 +3,12 @@ use cli::config_file::get_config;
 use cli::constants::{
     DEFAULT_MAX_CPUS, DEFAULT_MAX_FILE_SIZE_KB, EXIT_CODE_GITHOOK_FAILED,
     EXIT_CODE_INVALID_CONFIGURATION, EXIT_CODE_INVALID_DIRECTORY, EXIT_CODE_NO_DIRECTORY,
-    EXIT_CODE_NO_SECRET_OR_STATIC_ANALYSIS, EXIT_CODE_RULE_CHECKSUM_INVALID,
-    EXIT_CODE_SHA_OR_DEFAULT_BRANCH,
+    EXIT_CODE_NO_SECRET_OR_STATIC_ANALYSIS, EXIT_CODE_RULESET_NOT_FOUND,
+    EXIT_CODE_RULE_CHECKSUM_INVALID, EXIT_CODE_SHA_OR_DEFAULT_BRANCH,
+};
+use cli::datadog_utils::{
+    get_all_default_rulesets, get_rules_from_rulesets, get_secrets_rules, DatadogApiError,
 };
-use cli::datadog_utils::{get_all_default_rulesets, get_rules_from_rulesets, get_secrets_rules};
 use cli::file_utils::{filter_files_by_size, get_files, read_files_from_gitignore};
 use cli::git_utils::{
     get_changed_files_between_shas, get_changed_files_with_branch, get_default_branch,
@@ -24,7 +26,7 @@ use itertools::Itertools;
 use kernel::analysis::ddsa_lib::v8_platform::{initialize_v8, Initialized, V8Platform};
 use kernel::classifiers::ArtifactClassification;
 use kernel::config::common::{ConfigMethod, PathConfig};
-use kernel::config::file_v1;
+use kernel::config::file_v2;
 use kernel::constants::{CARGO_VERSION, VERSION};
 use kernel::model::common::OutputFormat::Json;
 use kernel::model::rule::{Rule, RuleResult};
@@ -255,7 +257,7 @@ fn main() -> Result<()> {
     let configuration_file_and_method = get_config(directory_to_analyze.as_str(), use_debug);
 
     let (configuration_file, configuration_method): (
-        Option<file_v1::ConfigFile>,
+        Option<file_v2::ConfigFile>,
         Option<ConfigMethod>,
     ) = match configuration_file_and_method {
         Ok(cfg) => match cfg {
@@ -276,29 +278,57 @@ fn main() -> Result<()> {
         .map(RuleConfigProvider::from_config)
         .unwrap_or_default();
 
+    // A list of rulesets that were fetched due to being specifically listed in a ConfigFile::use_rulesets list.
+    let mut fetched_rulesets = Vec::<&str>::new();
     // if there is a configuration file, we load the rules from it. But it means
     // we cannot have the rule parameter given.
-    if let Some(conf) = configuration_file {
-        ignore_gitignore = conf.ignore_gitignore.unwrap_or(false);
+    if let Some(conf) = &configuration_file {
+        ignore_gitignore = conf
+            .global_config
+            .as_ref()
+            .and_then(|g| g.use_gitignore.map(|b| !b))
+            .unwrap_or(false);
 
         if static_analysis_enabled {
-            let rulesets = conf.rulesets.keys().cloned().collect_vec();
-            let rules_from_api = get_rules_from_rulesets(&rulesets, use_staging, use_debug)
-                .context("error when reading rules from API")?;
-            rules.extend(rules_from_api);
+            if let Some(rulesets) = &conf.use_rulesets {
+                let rules_from_api = get_rules_from_rulesets(rulesets, use_staging, use_debug)
+                    .inspect_err(|e| {
+                        if let DatadogApiError::RulesetNotFound(rs) = e {
+                            eprintln!("Error: ruleset {rs} not found");
+                            exit(EXIT_CODE_RULESET_NOT_FOUND);
+                        }
+                    })
+                    .context("error when reading rules from API")?;
+                rules.extend(rules_from_api);
+                for r in rulesets {
+                    fetched_rulesets.push(r.as_str());
+                }
+            }
         }
 
         // copy the only and ignore paths from the configuration file
-        path_config.ignore.extend(conf.paths.ignore);
-        path_config.only = conf.paths.only;
+        if let Some(pc) = conf.global_config.as_ref().and_then(|g| g.paths.as_ref()) {
+            path_config.ignore.extend_from_slice(&pc.ignore);
+            path_config.only = pc.only.clone();
+        }
 
         // Get the max file size from the configuration or default to the default constant.
-        max_file_size_kb = conf.max_file_size_kb.unwrap_or(DEFAULT_MAX_FILE_SIZE_KB);
-        ignore_generated_files = conf.ignore_generated_files.unwrap_or(true);
-    } else {
+        max_file_size_kb = conf
+            .global_config
+            .as_ref()
+            .and_then(|g| g.max_file_size_kb)
+            .unwrap_or(DEFAULT_MAX_FILE_SIZE_KB);
+        ignore_generated_files = conf
+            .global_config
+            .as_ref()
+            .and_then(|g| g.ignore_generated_files)
+            .unwrap_or(true);
+    }
+
+    if static_analysis_enabled {
         // if there is no config file, we take the default rules from our APIs.
 
-        if use_debug {
+        if configuration_file.is_none() && use_debug {
             println!("WARNING: no configuration file detected, getting the default rules from the Datadog API");
             println!("Check the following resources to configure your rules:");
             println!(
@@ -307,10 +337,11 @@ fn main() -> Result<()> {
             println!(" - Static analyzer repository on GitHub: https://github.com/DataDog/datadog-static-analyzer");
         }
 
-        if static_analysis_enabled {
+        let should_fetch = !matches!(&configuration_file, Some(config) if config.use_default_rulesets == Some(false));
+        if should_fetch {
             let rulesets_from_api =
-                get_all_default_rulesets(use_staging, use_debug).expect("cannot get default rules");
-
+                get_all_default_rulesets(use_staging, use_debug, &fetched_rulesets)
+                    .context("cannot get default rules")?;
             rules.extend(rulesets_from_api.into_iter().flat_map(|rs| rs.into_rules()));
         }
     }
 
@@ -35,7 +35,7 @@ use kernel::analysis::ddsa_lib::v8_platform::{initialize_v8, Initialized, V8Plat
 use kernel::analysis::generated_content::DEFAULT_IGNORED_GLOBS;
 use kernel::classifiers::ArtifactClassification;
 use kernel::config::common::{ConfigMethod, PathConfig};
-use kernel::config::file_v1;
+use kernel::config::file_v2;
 use kernel::constants::{CARGO_VERSION, VERSION};
 use kernel::model::common::OutputFormat;
 use kernel::model::rule::{Rule, RuleSeverity};
@@ -264,7 +264,7 @@ fn main() -> Result<()> {
     let configuration_file_and_method = get_config(directory_to_analyze.as_str(), use_debug);
 
     let (configuration_file, configuration_method): (
-        Option<file_v1::ConfigFile>,
+        Option<file_v2::ConfigFile>,
         Option<ConfigMethod>,
     ) = match configuration_file_and_method {
         Ok(cfg) => match cfg {
@@ -290,47 +290,74 @@ fn main() -> Result<()> {
         .unwrap_or_default();
     let mut rules: Vec<Rule> = Vec::new();
 
+    // A list of rulesets that were fetched due to being specifically listed in a ConfigFile::use_rulesets list.
+    let mut fetched_rulesets = Vec::<&str>::new();
     // if there is a configuration file, we load the rules from it. But it means
     // we cannot have the rule parameter given.
-    if let Some(conf) = configuration_file {
-        ignore_gitignore = conf.ignore_gitignore.unwrap_or(false);
+    if let Some(conf) = &configuration_file {
+        ignore_gitignore = conf
+            .global_config
+            .as_ref()
+            .and_then(|g| g.use_gitignore.map(|b| !b))
+            .unwrap_or(false);
         if rules_file.is_some() {
             eprintln!("a rule file cannot be specified when a configuration file is present.");
             exit(EXIT_CODE_RULE_FILE_WITH_CONFIGURATION);
         }
 
         if static_analysis_enabled {
-            let rulesets = conf.rulesets.keys().cloned().collect_vec();
-            let rules_from_api = get_rules_from_rulesets(&rulesets, use_staging, use_debug)
-                .inspect_err(|e| {
-                    if let DatadogApiError::RulesetNotFound(rs) = e {
-                        eprintln!("Error: ruleset {rs} not found");
-                        exit(EXIT_CODE_RULESET_NOT_FOUND);
-                    }
-                })
-                .context("error when reading rules from API")?;
-            rules.extend(rules_from_api);
+            if let Some(rulesets) = &conf.use_rulesets {
+                let rules_from_api = get_rules_from_rulesets(rulesets, use_staging, use_debug)
+                    .inspect_err(|e| {
+                        if let DatadogApiError::RulesetNotFound(rs) = e {
+                            eprintln!("Error: ruleset {rs} not found");
+                            exit(EXIT_CODE_RULESET_NOT_FOUND);
+                        }
+                    })
+                    .context("error when reading rules from API")?;
+                rules.extend(rules_from_api);
+                for r in rulesets {
+                    fetched_rulesets.push(r.as_str());
+                }
+            }
         }
         // copy the only and ignore paths from the configuration file
-        path_config.ignore.extend(conf.paths.ignore);
-        path_config.only = conf.paths.only;
+        if let Some(pc) = conf.global_config.as_ref().and_then(|g| g.paths.as_ref()) {
+            path_config.ignore.extend_from_slice(&pc.ignore);
+            path_config.only = pc.only.clone();
+        }
 
         // Get the max file size from the configuration or default to the default constant.
-        max_file_size_kb = conf.max_file_size_kb.unwrap_or(DEFAULT_MAX_FILE_SIZE_KB);
-        ignore_generated_files = conf.ignore_generated_files.unwrap_or(true);
-    } else if static_analysis_enabled {
+        max_file_size_kb = conf
+            .global_config
+            .as_ref()
+            .and_then(|g| g.max_file_size_kb)
+            .unwrap_or(DEFAULT_MAX_FILE_SIZE_KB);
+        ignore_generated_files = conf
+            .global_config
+            .as_ref()
+            .and_then(|g| g.ignore_generated_files)
+            .unwrap_or(true);
+    }
+
+    if static_analysis_enabled {
         // if there is no config file, we take the default rules from our APIs.
         if rules_file.is_none() {
-            println!("WARNING: no configuration file detected, getting the default rules from the Datadog API");
-            println!("Check the following resources to configure your rules:");
-            println!(
-                " - Datadog documentation: https://docs.datadoghq.com/code_analysis/static_analysis"
-            );
-            println!(" - Static analyzer repository on GitHub: https://github.com/DataDog/datadog-static-analyzer");
-            let rulesets_from_api =
-                get_all_default_rulesets(use_staging, use_debug).expect("cannot get default rules");
-
-            rules.extend(rulesets_from_api.into_iter().flat_map(|rs| rs.into_rules()));
+            if configuration_file.is_none() {
+                println!("WARNING: no configuration file detected, getting the default rules from the Datadog API");
+                println!("Check the following resources to configure your rules:");
+                println!(
+                    " - Datadog documentation: https://docs.datadoghq.com/code_analysis/static_analysis"
+                );
+                println!(" - Static analyzer repository on GitHub: https://github.com/DataDog/datadog-static-analyzer");
+            }
+            let should_fetch = !matches!(&configuration_file, Some(config) if config.use_default_rulesets == Some(false));
+            if should_fetch {
+                let rulesets_from_api =
+                    get_all_default_rulesets(use_staging, use_debug, &fetched_rulesets)
+                        .context("cannot get default rules")?;
+                rules.extend(rulesets_from_api.into_iter().flat_map(|rs| rs.into_rules()));
+            }
         } else {
             let rulesets_from_file = get_rulesets_from_file(rules_file.clone().unwrap().as_str());
             rules.extend(
 
@@ -5,9 +5,8 @@ use crate::datadog_utils::{
 };
 use crate::git_utils::get_repository_url;
 use anyhow::{anyhow, Context};
-use kernel::config::common::ConfigMethod;
-use kernel::config::file_v1;
-use kernel::config::file_v1::parse_config_file;
+use kernel::config::common::{parse_any_schema_yaml, ConfigMethod, WithVersion};
+use kernel::config::file_v2;
 use kernel::utils::{decode_base64_string, encode_base64_string};
 use std::path::Path;
 
@@ -48,12 +47,16 @@ pub fn read_config_file(base_path: &str) -> anyhow::Result<Option<String>> {
 pub fn get_config(
     path: &str,
     debug: bool,
-) -> anyhow::Result<Option<(file_v1::ConfigFile, ConfigMethod)>> {
+) -> anyhow::Result<Option<(file_v2::ConfigFile, ConfigMethod)>> {
     let local_file_contents = read_config_file(path)?;
-    let local_config = local_file_contents
+    let local_yaml = local_file_contents
         .as_ref()
-        .map(|c| parse_config_file(c))
+        .map(|c| parse_any_schema_yaml(c))
         .transpose()?;
+    let local_config: Option<file_v2::ConfigFile> = local_yaml.map(|v| match v {
+        WithVersion::V1(v1) => file_v2::YamlConfigFile::from(v1).into(),
+        WithVersion::V2(v2) => v2.into(),
+    });
 
     if !should_use_datadog_backend() {
         if debug {
@@ -92,15 +95,19 @@ pub fn get_config(
     let text = decode_base64_string(remote_config_base64)
         .context("error when decoding base64 remote config")?;
 
-    let res = parse_config_file(&text).inspect_err(|err| {
+    let res = parse_any_schema_yaml(&text).inspect_err(|err| {
         if debug {
             eprintln!("Error when parsing remote config: {err:?}");
             eprintln!("Proceeding with local config");
         }
     });
-    let Ok(remote_config) = res else {
+    let Ok(remote_yaml) = res else {
         return Ok(local_config.map(|c| (c, ConfigMethod::File)));
     };
+    let remote_config: file_v2::ConfigFile = match remote_yaml {
+        WithVersion::V1(v1) => file_v2::YamlConfigFile::from(v1).into(),
+        WithVersion::V2(v2) => v2.into(),
+    };
 
     let config_method = if local_config.is_some() {
         ConfigMethod::RemoteConfigurationWithFile
 
@@ -281,15 +281,24 @@ pub fn get_default_rulesets_name_for_language(
 }
 
 /// Get all the default rulesets available at DataDog. Take all the language
-/// from `DEFAULT_RULESETS_LANGAGES` and get their rulesets
-pub fn get_all_default_rulesets(use_staging: bool, debug: bool) -> Result<Vec<RuleSet>> {
+/// from [`DEFAULT_RULESETS_LANGUAGES`] and get their rulesets
+///
+/// Any ruleset names present in `excluded` will not be fetched.
+pub fn get_all_default_rulesets(
+    use_staging: bool,
+    debug: bool,
+    excluded: &[&str],
+) -> Result<Vec<RuleSet>> {
     let mut result: Vec<RuleSet> = vec![];
 
     for language in DEFAULT_RULESETS_LANGUAGES {
         let ruleset_names =
             get_default_rulesets_name_for_language(language.to_string(), use_staging, debug)?;
 
-        for ruleset_name in ruleset_names {
+        for ruleset_name in ruleset_names
+            .into_iter()
+            .filter(|name| !excluded.contains(&name.as_str()))
+        {
             result.push(get_ruleset(ruleset_name.as_str(), use_staging, debug)?);
         }
     }
 
@@ -396,7 +396,8 @@ mod tests {
     use super::*;
     use crate::analysis::ddsa_lib::test_utils::cfg_test_v8;
     use crate::analysis::tree_sitter::get_query;
-    use crate::config::file_v1::parse_config_file;
+    use crate::config::common::{parse_any_schema_yaml, WithVersion};
+    use crate::config::file_v2;
     use crate::model::common::Language;
     use crate::model::rule::{RuleCategory, RuleSeverity};
     use crate::rule_config::RuleConfigProvider;
@@ -1169,10 +1170,9 @@ function visit(node, filename, code) {
             tree_sitter_query: get_query(QUERY_CODE, &Language::Python).unwrap(),
         };
 
-        let analysis_options = AnalysisOptions::default();
-        let rule_config_provider = RuleConfigProvider::from_config(
-            &parse_config_file(
-                r#"
+        let local_config: file_v2::ConfigFile = parse_any_schema_yaml(
+            // language=yaml
+            r#"
 rulesets:
   - rs:
     rules:
@@ -1181,9 +1181,15 @@ rulesets:
           my-argument: 101
           another-arg: 101
         "#,
-            )
-            .unwrap(),
-        );
+        )
+        .map(|v| match v {
+            WithVersion::V1(v1) => file_v2::YamlConfigFile::from(v1).into(),
+            WithVersion::V2(v2) => v2.into(),
+        })
+        .unwrap();
+
+        let analysis_options = AnalysisOptions::default();
+        let rule_config_provider = RuleConfigProvider::from_config(&local_config);
         let rule_config = rule_config_provider.config_for_file("myfile.py");
 
         let results = analyze(
@@ -1291,9 +1297,10 @@ function visit(node, filename, code) {
             ignore_generated_files: false,
             timeout: None,
         };
-        let rule_config_provider = RuleConfigProvider::from_config(
-            &parse_config_file(
-                r#"
+
+        let local_config: file_v2::ConfigFile = parse_any_schema_yaml(
+            // language=yaml
+            r#"
 rulesets:
   - rs:
     rules:
@@ -1305,9 +1312,14 @@ rulesets:
           uno: NOTICE
           dos/myfile.py: ERROR
         "#,
-            )
-            .unwrap(),
-        );
+        )
+        .map(|v| match v {
+            WithVersion::V1(v1) => file_v2::YamlConfigFile::from(v1).into(),
+            WithVersion::V2(v2) => v2.into(),
+        })
+        .unwrap();
+
+        let rule_config_provider = RuleConfigProvider::from_config(&local_config);
         let rules = vec![rule1, rule2];
 
         let results = analyze(