Add SDS rule should_save_match field (#2704)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit ad49abcbb5ae · 2025-08-27T15:49:59.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generated-info b/.generated-info
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "98e3371",
-  "generated": "2025-08-27 08:47:10.789"
+  "spec_repo_commit": "62a19e4",
+  "generated": "2025-08-27 15:03:12.722"
 }
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -39445,6 +39445,12 @@ components:
         replacement_string:
           description: Required if type == 'replacement_string'.
           type: string
+        should_save_match:
+          description: "Only valid when type == `replacement_string`. When enabled,
+            matches can be unmasked in logs by users with \u2018Data Scanner Unmask\u2019
+            permission. As a security best practice, avoid masking for highly-sensitive,
+            long-lived data."
+          type: boolean
         type:
           $ref: '#/components/schemas/SensitiveDataScannerTextReplacementType'
       type: object
diff --git a/cassettes/v2/Sensitive-Data-Scanner_3248008071/Create-Scanning-Rule-with-should_save_match-returns-OK-response_3931772115/frozen.json b/cassettes/v2/Sensitive-Data-Scanner_3248008071/Create-Scanning-Rule-with-should_save_match-returns-OK-response_3931772115/frozen.json
@@ -0,0 +1 @@
+"2025-08-26T20:31:44.042Z"
diff --git a/cassettes/v2/Sensitive-Data-Scanner_3248008071/Create-Scanning-Rule-with-should_save_match-returns-OK-response_3931772115/recording.har b/cassettes/v2/Sensitive-Data-Scanner_3248008071/Create-Scanning-Rule-with-should_save_match-returns-OK-response_3931772115/recording.har
@@ -0,0 +1,269 @@
+{
+  "log": {
+    "_recordingName": "Sensitive Data Scanner/Create Scanning Rule with should_save_match returns \"OK\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "01611a935e7406303c51f707c3b51e78",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 528,
+          "httpVersion": "HTTP/1.1",
+          "method": "GET",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config"
+        },
+        "response": {
+          "bodySize": 465,
+          "content": {
+            "mimeType": "application/json",
+            "size": 465,
+            "text": "{\"data\":{\"id\":\"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87\",\"attributes\":{},\"type\":\"sensitive_data_scanner_configuration\",\"relationships\":{\"groups\":{\"data\":[]}}},\"meta\":{\"version\":275277,\"count_limit\":250,\"group_count_limit\":20,\"is_pci_compliant\":false,\"has_highlight_enabled\":true,\"has_multi_pass_enabled\":true,\"has_cascading_enabled\":false,\"is_configuration_superseded\":false,\"is_float_sampling_rate_enabled\":false,\"min_sampling_rate\":10.0}}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 548,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-08-26T20:31:44.671Z",
+        "time": 389
+      },
+      {
+        "_id": "e6af4a2fdfda8f066f3af5528b238a9d",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 389,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 590,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"filter\":{\"query\":\"*\"},\"is_enabled\":false,\"name\":\"my-test-group\",\"product_list\":[\"logs\"],\"samplings\":[{\"product\":\"logs\",\"rate\":100}]},\"relationships\":{\"configuration\":{\"data\":{\"id\":\"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87\",\"type\":\"sensitive_data_scanner_configuration\"}},\"rules\":{\"data\":[]}},\"type\":\"sensitive_data_scanner_group\"},\"meta\":{}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups"
+        },
+        "response": {
+          "bodySize": 452,
+          "content": {
+            "mimeType": "application/json",
+            "size": 452,
+            "text": "{\"data\":{\"id\":\"18cc2267-f3cc-4c15-917d-d3efb15deb03\",\"attributes\":{\"name\":\"my-test-group\",\"is_enabled\":false,\"filter\":{\"query\":\"*\"},\"product_list\":[\"logs\"],\"samplings\":[{\"product\":\"logs\",\"rate\":100.0}]},\"type\":\"sensitive_data_scanner_group\",\"relationships\":{\"configuration\":{\"data\":{\"id\":\"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87\",\"type\":\"sensitive_data_scanner_configuration\"}},\"rules\":{\"data\":[]}}},\"meta\":{\"version\":275278}}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 724,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-08-26T20:31:45.076Z",
+        "time": 459
+      },
+      {
+        "_id": "d5695745b55eb2d21a8bce6beb63aa60",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 468,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 588,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"is_enabled\":true,\"name\":\"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304\",\"pattern\":\"pattern\",\"priority\":1,\"tags\":[\"sensitive_data:true\"],\"text_replacement\":{\"replacement_string\":\"REDACTED\",\"should_save_match\":true,\"type\":\"replacement_string\"}},\"relationships\":{\"group\":{\"data\":{\"id\":\"18cc2267-f3cc-4c15-917d-d3efb15deb03\",\"type\":\"sensitive_data_scanner_group\"}}},\"type\":\"sensitive_data_scanner_rule\"},\"meta\":{}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules"
+        },
+        "response": {
+          "bodySize": 582,
+          "content": {
+            "mimeType": "application/json",
+            "size": 582,
+            "text": "{\"data\":{\"id\":\"0e517b8a-04c1-4ae0-b57b-22b8e081190c\",\"attributes\":{\"name\":\"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304\",\"namespaces\":[],\"excluded_namespaces\":[],\"pattern\":\"pattern\",\"text_replacement\":{\"replacement_string\":\"REDACTED\",\"should_save_match\":true,\"type\":\"replacement_string\"},\"tags\":[\"sensitive_data:true\"],\"labels\":[],\"is_enabled\":true,\"priority\":1},\"type\":\"sensitive_data_scanner_rule\",\"relationships\":{\"group\":{\"data\":{\"id\":\"18cc2267-f3cc-4c15-917d-d3efb15deb03\",\"type\":\"sensitive_data_scanner_group\"}}}},\"meta\":{\"version\":275279}}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 730,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-08-26T20:31:45.541Z",
+        "time": 384
+      },
+      {
+        "_id": "9cb4750bc912e7e7baa631b157a5f623",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 11,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 624,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"meta\":{}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules/0e517b8a-04c1-4ae0-b57b-22b8e081190c"
+        },
+        "response": {
+          "bodySize": 28,
+          "content": {
+            "mimeType": "application/json",
+            "size": 28,
+            "text": "{\"meta\":{\"version\":275280}}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 706,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-08-26T20:31:45.931Z",
+        "time": 384
+      },
+      {
+        "_id": "e79ae3f126edbe8515ec0a35094e9e3f",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 11,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 628,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"meta\":{}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups/18cc2267-f3cc-4c15-917d-d3efb15deb03"
+        },
+        "response": {
+          "bodySize": 28,
+          "content": {
+            "mimeType": "application/json",
+            "size": 28,
+            "text": "{\"meta\":{\"version\":275281}}\n"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 707,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 200,
+          "statusText": "OK"
+        },
+        "startedDateTime": "2025-08-26T20:31:46.319Z",
+        "time": 445
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}
diff --git a/examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.ts b/examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.ts
@@ -0,0 +1,49 @@
+/**
+ * Create Scanning Rule with should_save_match returns "OK" response
+ */
+
+import { client, v2 } from "@datadog/datadog-api-client";
+
+const configuration = client.createConfiguration();
+const apiInstance = new v2.SensitiveDataScannerApi(configuration);
+
+// there is a valid "scanning_group" in the system
+const GROUP_DATA_ID = process.env.GROUP_DATA_ID as string;
+
+const params: v2.SensitiveDataScannerApiCreateScanningRuleRequest = {
+  body: {
+    meta: {},
+    data: {
+      type: "sensitive_data_scanner_rule",
+      attributes: {
+        name: "Example-Sensitive-Data-Scanner",
+        pattern: "pattern",
+        textReplacement: {
+          type: "replacement_string",
+          replacementString: "REDACTED",
+          shouldSaveMatch: true,
+        },
+        tags: ["sensitive_data:true"],
+        isEnabled: true,
+        priority: 1,
+      },
+      relationships: {
+        group: {
+          data: {
+            type: "sensitive_data_scanner_group",
+            id: GROUP_DATA_ID,
+          },
+        },
+      },
+    },
+  },
+};
+
+apiInstance
+  .createScanningRule(params)
+  .then((data: v2.SensitiveDataScannerCreateRuleResponse) => {
+    console.log(
+      "API called successfully. Returned data: " + JSON.stringify(data)
+    );
+  })
+  .catch((error: any) => console.error(error));
diff --git a/features/v2/sensitive_data_scanner.feature b/features/v2/sensitive_data_scanner.feature
@@ -50,6 +50,17 @@ Feature: Sensitive Data Scanner
     And the response "data.attributes.included_keyword_configuration.character_count" is equal to 35
     And the response "data.attributes.included_keyword_configuration.keywords[0]" is equal to "credit card"
 
+  @team:DataDog/sensitive-data-scanner
+  Scenario: Create Scanning Rule with should_save_match returns "OK" response
+    Given a valid "configuration" in the system
+    And there is a valid "scanning_group" in the system
+    And new "CreateScanningRule" request
+    And body with value {"meta":{},"data":{"type":"sensitive_data_scanner_rule","attributes":{"name":"{{ unique }}","pattern":"pattern","text_replacement":{"type":"replacement_string","replacement_string":"REDACTED","should_save_match":true},"tags":["sensitive_data:true"],"is_enabled":true,"priority":1},"relationships":{"group":{"data":{"type":"{{ group.data.type }}","id":"{{ group.data.id }}"}}}}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "data.type" is equal to "sensitive_data_scanner_rule"
+    And the response "data.attributes.name" is equal to "{{ unique }}"
+
   @generated @skip @team:DataDog/sensitive-data-scanner
   Scenario: Delete Scanning Group returns "Bad Request" response
     Given new "DeleteScanningGroup" request
diff --git a/packages/datadog-api-client-v2/models/SensitiveDataScannerTextReplacement.ts b/packages/datadog-api-client-v2/models/SensitiveDataScannerTextReplacement.ts
@@ -20,6 +20,10 @@ export class SensitiveDataScannerTextReplacement {
    * Required if type == 'replacement_string'.
    */
   "replacementString"?: string;
+  /**
+   * Only valid when type == `replacement_string`. When enabled, matches can be unmasked in logs by users with ‘Data Scanner Unmask’ permission. As a security best practice, avoid masking for highly-sensitive, long-lived data.
+   */
+  "shouldSaveMatch"?: boolean;
   /**
    * Type of the replacement text. None means no replacement.
    * hash means the data will be stubbed. replacement_string means that
@@ -55,6 +59,10 @@ export class SensitiveDataScannerTextReplacement {
       baseName: "replacement_string",
       type: "string",
     },
+    shouldSaveMatch: {
+      baseName: "should_save_match",
+      type: "boolean",
+    },
     type: {
       baseName: "type",
       type: "SensitiveDataScannerTextReplacementType",

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "spec_repo_commit": "98e3371",`
`3`		`- "generated": "2025-08-27 08:47:10.789"`
	`2`	`+ "spec_repo_commit": "62a19e4",`
	`3`	`+ "generated": "2025-08-27 15:03:12.722"`
`4`	`4`	`}`