Add SDS rule should_save_match field (#2791)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "98e3371",
-  "generated": "2025-08-27 08:45:21.765"
+  "spec_repo_commit": "62a19e4",
+  "generated": "2025-08-27 15:01:27.781"
 }

.generator/schemas/v2/openapi.yaml

@@ -39445,6 +39445,12 @@ components:
         replacement_string:
           description: Required if type == 'replacement_string'.
           type: string
+        should_save_match:
+          description: "Only valid when type == `replacement_string`. When enabled,
+            matches can be unmasked in logs by users with \u2018Data Scanner Unmask\u2019
+            permission. As a security best practice, avoid masking for highly-sensitive,
+            long-lived data."
+          type: boolean
         type:
           $ref: '#/components/schemas/SensitiveDataScannerTextReplacementType'
       type: object

examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.py

@@ -0,0 +1,59 @@
+"""
+Create Scanning Rule with should_save_match returns "OK" response
+"""
+
+from os import environ
+from datadog_api_client import ApiClient, Configuration
+from datadog_api_client.v2.api.sensitive_data_scanner_api import SensitiveDataScannerApi
+from datadog_api_client.v2.model.sensitive_data_scanner_group import SensitiveDataScannerGroup
+from datadog_api_client.v2.model.sensitive_data_scanner_group_data import SensitiveDataScannerGroupData
+from datadog_api_client.v2.model.sensitive_data_scanner_group_type import SensitiveDataScannerGroupType
+from datadog_api_client.v2.model.sensitive_data_scanner_meta_version_only import SensitiveDataScannerMetaVersionOnly
+from datadog_api_client.v2.model.sensitive_data_scanner_rule_attributes import SensitiveDataScannerRuleAttributes
+from datadog_api_client.v2.model.sensitive_data_scanner_rule_create import SensitiveDataScannerRuleCreate
+from datadog_api_client.v2.model.sensitive_data_scanner_rule_create_request import SensitiveDataScannerRuleCreateRequest
+from datadog_api_client.v2.model.sensitive_data_scanner_rule_relationships import SensitiveDataScannerRuleRelationships
+from datadog_api_client.v2.model.sensitive_data_scanner_rule_type import SensitiveDataScannerRuleType
+from datadog_api_client.v2.model.sensitive_data_scanner_text_replacement import SensitiveDataScannerTextReplacement
+from datadog_api_client.v2.model.sensitive_data_scanner_text_replacement_type import (
+    SensitiveDataScannerTextReplacementType,
+)
+
+# there is a valid "scanning_group" in the system
+GROUP_DATA_ID = environ["GROUP_DATA_ID"]
+
+body = SensitiveDataScannerRuleCreateRequest(
+    meta=SensitiveDataScannerMetaVersionOnly(),
+    data=SensitiveDataScannerRuleCreate(
+        type=SensitiveDataScannerRuleType.SENSITIVE_DATA_SCANNER_RULE,
+        attributes=SensitiveDataScannerRuleAttributes(
+            name="Example-Sensitive-Data-Scanner",
+            pattern="pattern",
+            text_replacement=SensitiveDataScannerTextReplacement(
+                type=SensitiveDataScannerTextReplacementType.REPLACEMENT_STRING,
+                replacement_string="REDACTED",
+                should_save_match=True,
+            ),
+            tags=[
+                "sensitive_data:true",
+            ],
+            is_enabled=True,
+            priority=1,
+        ),
+        relationships=SensitiveDataScannerRuleRelationships(
+            group=SensitiveDataScannerGroupData(
+                data=SensitiveDataScannerGroup(
+                    type=SensitiveDataScannerGroupType.SENSITIVE_DATA_SCANNER_GROUP,
+                    id=GROUP_DATA_ID,
+                ),
+            ),
+        ),
+    ),
+)
+
+configuration = Configuration()
+with ApiClient(configuration) as api_client:
+    api_instance = SensitiveDataScannerApi(api_client)
+    response = api_instance.create_scanning_rule(body=body)
+
+    print(response)

src/datadog_api_client/v2/model/sensitive_data_scanner_text_replacement.py

@@ -35,19 +35,22 @@ def openapi_types(_):
         return {
             "number_of_chars": (int,),
             "replacement_string": (str,),
+            "should_save_match": (bool,),
             "type": (SensitiveDataScannerTextReplacementType,),
         }
 
     attribute_map = {
         "number_of_chars": "number_of_chars",
         "replacement_string": "replacement_string",
+        "should_save_match": "should_save_match",
         "type": "type",
     }
 
     def __init__(
         self_,
         number_of_chars: Union[int, UnsetType] = unset,
         replacement_string: Union[str, UnsetType] = unset,
+        should_save_match: Union[bool, UnsetType] = unset,
         type: Union[SensitiveDataScannerTextReplacementType, UnsetType] = unset,
         **kwargs,
     ):
@@ -61,6 +64,9 @@ def __init__(
         :param replacement_string: Required if type == 'replacement_string'.
         :type replacement_string: str, optional
 
+        :param should_save_match: Only valid when type == ``replacement_string``. When enabled, matches can be unmasked in logs by users with ‘Data Scanner Unmask’ permission. As a security best practice, avoid masking for highly-sensitive, long-lived data.
+        :type should_save_match: bool, optional
+
         :param type: Type of the replacement text. None means no replacement.
             hash means the data will be stubbed. replacement_string means that
             one can chose a text to replace the data. partial_replacement_from_beginning
@@ -73,6 +79,8 @@ def __init__(
             kwargs["number_of_chars"] = number_of_chars
         if replacement_string is not unset:
             kwargs["replacement_string"] = replacement_string
+        if should_save_match is not unset:
+            kwargs["should_save_match"] = should_save_match
         if type is not unset:
             kwargs["type"] = type
         super().__init__(kwargs)

tests/v2/cassettes/test_scenarios/test_create_scanning_rule_with_should_save_match_returns_ok_response.frozen

@@ -0,0 +1 @@
+2025-08-26T20:31:44.042Z

tests/v2/cassettes/test_scenarios/test_create_scanning_rule_with_should_save_match_returns_ok_response.yaml

@@ -0,0 +1,100 @@
+interactions:
+- request:
+    body: null
+    headers:
+      accept:
+      - application/json
+    method: GET
+    uri: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config
+  response:
+    body:
+      string: '{"data":{"id":"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87","attributes":{},"type":"sensitive_data_scanner_configuration","relationships":{"groups":{"data":[]}}},"meta":{"version":275277,"count_limit":250,"group_count_limit":20,"is_pci_compliant":false,"has_highlight_enabled":true,"has_multi_pass_enabled":true,"has_cascading_enabled":false,"is_configuration_superseded":false,"is_float_sampling_rate_enabled":false,"min_sampling_rate":10.0}}
+
+        '
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: '{"data":{"attributes":{"filter":{"query":"*"},"is_enabled":false,"name":"my-test-group","product_list":["logs"],"samplings":[{"product":"logs","rate":100}]},"relationships":{"configuration":{"data":{"id":"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87","type":"sensitive_data_scanner_configuration"}},"rules":{"data":[]}},"type":"sensitive_data_scanner_group"},"meta":{}}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups
+  response:
+    body:
+      string: '{"data":{"id":"18cc2267-f3cc-4c15-917d-d3efb15deb03","attributes":{"name":"my-test-group","is_enabled":false,"filter":{"query":"*"},"product_list":["logs"],"samplings":[{"product":"logs","rate":100.0}]},"type":"sensitive_data_scanner_group","relationships":{"configuration":{"data":{"id":"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87","type":"sensitive_data_scanner_configuration"}},"rules":{"data":[]}}},"meta":{"version":275278}}
+
+        '
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: '{"data":{"attributes":{"is_enabled":true,"name":"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304","pattern":"pattern","priority":1,"tags":["sensitive_data:true"],"text_replacement":{"replacement_string":"REDACTED","should_save_match":true,"type":"replacement_string"}},"relationships":{"group":{"data":{"id":"18cc2267-f3cc-4c15-917d-d3efb15deb03","type":"sensitive_data_scanner_group"}}},"type":"sensitive_data_scanner_rule"},"meta":{}}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: POST
+    uri: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules
+  response:
+    body:
+      string: '{"data":{"id":"0e517b8a-04c1-4ae0-b57b-22b8e081190c","attributes":{"name":"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304","namespaces":[],"excluded_namespaces":[],"pattern":"pattern","text_replacement":{"replacement_string":"REDACTED","should_save_match":true,"type":"replacement_string"},"tags":["sensitive_data:true"],"labels":[],"is_enabled":true,"priority":1},"type":"sensitive_data_scanner_rule","relationships":{"group":{"data":{"id":"18cc2267-f3cc-4c15-917d-d3efb15deb03","type":"sensitive_data_scanner_group"}}}},"meta":{"version":275279}}
+
+        '
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: '{"meta":{}}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: DELETE
+    uri: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules/0e517b8a-04c1-4ae0-b57b-22b8e081190c
+  response:
+    body:
+      string: '{"meta":{"version":275280}}
+
+        '
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+- request:
+    body: '{"meta":{}}'
+    headers:
+      accept:
+      - application/json
+      content-type:
+      - application/json
+    method: DELETE
+    uri: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups/18cc2267-f3cc-4c15-917d-d3efb15deb03
+  response:
+    body:
+      string: '{"meta":{"version":275281}}
+
+        '
+    headers:
+      content-type:
+      - application/json
+    status:
+      code: 200
+      message: OK
+version: 1

tests/v2/features/sensitive_data_scanner.feature

@@ -50,6 +50,17 @@ Feature: Sensitive Data Scanner
     And the response "data.attributes.included_keyword_configuration.character_count" is equal to 35
     And the response "data.attributes.included_keyword_configuration.keywords[0]" is equal to "credit card"
 
+  @team:DataDog/sensitive-data-scanner
+  Scenario: Create Scanning Rule with should_save_match returns "OK" response
+    Given a valid "configuration" in the system
+    And there is a valid "scanning_group" in the system
+    And new "CreateScanningRule" request
+    And body with value {"meta":{},"data":{"type":"sensitive_data_scanner_rule","attributes":{"name":"{{ unique }}","pattern":"pattern","text_replacement":{"type":"replacement_string","replacement_string":"REDACTED","should_save_match":true},"tags":["sensitive_data:true"],"is_enabled":true,"priority":1},"relationships":{"group":{"data":{"type":"{{ group.data.type }}","id":"{{ group.data.id }}"}}}}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "data.type" is equal to "sensitive_data_scanner_rule"
+    And the response "data.attributes.name" is equal to "{{ unique }}"
+
   @generated @skip @team:DataDog/sensitive-data-scanner
   Scenario: Delete Scanning Group returns "Bad Request" response
     Given new "DeleteScanningGroup" request