Skip to content

Make SecretRuleMatchValidationHttpV2::provides an Option#855

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intomainfrom
fbryden/provides_optional
Mar 19, 2026
Merged

Make SecretRuleMatchValidationHttpV2::provides an Option#855
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit intomainfrom
fbryden/provides_optional

Conversation

@fbryden
Copy link
Copy Markdown
Contributor

@fbryden fbryden commented Mar 19, 2026
edited
Loading

What problem are you trying to solve?

Scanning in service:code-workload-runner-secrets stopped on Tuesday due to a missing provides field.
This is the cause of #incident-51370

What is your solution?

Mark the field as optional, since it is already optional downstream, in the SDS engine.

Alternatives considered

What the reviewer should know

Tested on staging:

DD_API_KEY=******* DD_APP_KEY=******** DD_SITE=datad0g.com cargo run --bin datadog-static-analyzer -- --directory . --output result.json --format sarif --debug yes --enable-secrets true --enable-static-analysis false --staging

static-analysis-api returns a config that's missing the provides field:

"match_validation_v2":{
          "calls":[
            {
              "request":{
                "endpoint":"https://agent.buildkite.com/v3/heartbeat",
                "method":"POST",
                "headers":{
                  "Authorization":"Token $MATCH",
                  "User-Agent":"Datadog Match Validator"
                },
                "body":"{}",
                "timeout_seconds":3
              },
              "response":{
                "conditions":[
                  {
                    "condition_type":"Valid",
                    "status_code":{
                      "single":200
                    },
                    "body":{
                      "received_at":{
                        "present":true
                      },
                      "sent_at":{
                        "present":true
                      }
                    }
                  },
                  {
                    "condition_type":"Invalid",
                    "status_code":{
                      "single":401
                    },
                    "body":{
                      "message":{
                        "exact_match":"Invalid access token"
                      }
                    }
                  }]
              }
            }]
        },

The analyzer runs fine:

Found 2 secret(s) (including 0 valid) in 1 file(s) using 1 rule(s) within 0 sec(s)

@fbryden fbryden requested a review from a team as a code owner March 19, 2026 14:54
Copilot AI review requested due to automatic review settings March 19, 2026 14:54
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the CustomHttpV2 secret-rule match validation model so the provides field can be omitted (i.e., represented as Option), aligning deserialization and downstream conversion with optional paired-validator configuration.

Changes:

  • Change SecretRuleMatchValidationHttpV2.provides from Vec<_> to Option<Vec<_>> and propagate that through the dd_sds conversion.
  • Update unit tests/fixtures to wrap provides in Some(...) where it’s expected to exist.
  • Update CLI-side tests to unwrap provides as an Option.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
crates/secrets/src/model/secret_rule.rs Makes provides optional in the CustomHttpV2 model and updates conversion/tests accordingly.
crates/cli/src/model/datadog_api.rs Adjusts test expectations to account for provides becoming optional.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

@datadog-datadog-prod-us1-2

This comment has been minimized.

Sign in to view
MikaYuoadas
MikaYuoadas approved these changes Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MikaYuoadas MikaYuoadas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@fbryden
Copy link
Copy Markdown
Contributor Author

fbryden commented Mar 19, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Mar 19, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-19 16:54:40 UTC ℹ️ Start processing command /merge

2026-03-19 16:54:48 UTC ℹ️ MergeQueue: waiting for PR to be ready

This pull request is not mergeable according to GitHub. Common reasons include pending required checks, missing approvals, or merge conflicts — but it could also be blocked by other repository rules or settings.
It will be added to the queue as soon as checks pass and/or get approvals. View in MergeQueue UI.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

2026-03-19 17:23:25 UTC ℹ️ MergeQueue: merge request added to the queue

The expected merge time in main is approximately 21m (p90).

2026-03-19 17:44:46 UTCMergeQueue: The checks failed on this merge request

Tests failed on this commit afce95a:

What to do next?

  • Investigate the failures and when ready, re-add your pull request to the queue!
  • If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
  • Any question, go check the FAQ.

@fbryden
Copy link
Copy Markdown
Contributor Author

fbryden commented Mar 19, 2026

/merge

@gh-worker-devflow-routing-ef8351
Copy link
Copy Markdown

gh-worker-devflow-routing-ef8351 Bot commented Mar 19, 2026
edited
Loading

View all feedbacks in Devflow UI.

2026-03-19 18:33:37 UTC ℹ️ Start processing command /merge

2026-03-19 18:33:41 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 21m (p90).

2026-03-19 18:51:01 UTC ℹ️ MergeQueue: This merge request was merged

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit a0a8f37 into main Mar 19, 2026
93 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the fbryden/provides_optional branch March 19, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MikaYuoadas MikaYuoadas MikaYuoadas approved these changes

@jasonforal jasonforal jasonforal approved these changes

Assignees

No one assigned

Labels

mergequeue-status: done

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fbryden @MikaYuoadas @jasonforal