[pull] master from DataDog:master

.github/CODEOWNERS

@@ -797,6 +797,11 @@ plaid/assets/logs/                                                  @DataDog/saa
 /ide-shepherd/manifest.json                                           @DataDog/agent-integrations @DataDog/documentation
 /ide-shepherd/assets/logs/                                            @DataDog/agent-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers
 
+/bluecat_integrity/                                                  @DataDog/saas-integrations
+/bluecat_integrity/*.md                                              @DataDog/saas-integrations @DataDog/documentation
+/bluecat_integrity/manifest.json                                     @DataDog/saas-integrations @DataDog/documentation
+/bluecat_integrity/assets/logs/                                      @DataDog/saas-integrations @DataDog/documentation @DataDog/logs-integrations-reviewers
+
 # To keep Security up-to-date with changes to the signing tool.
 /datadog_checks_dev/datadog_checks/dev/tooling/signing.py             @DataDog/agent-integrations
 # As well as the secure downloader.

.github/workflows/build-ddev.yml

@@ -56,19 +56,27 @@ jobs:
     name: Build wheel and source distribution
     runs-on: ubuntu-latest
     needs: define-tags
-
+    permissions:
+      # needed for dd-sts
+      id-token: write
     steps:
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key
+
     - name: Tag Job
       uses: ./.github/actions/tag-job
       if: ${{ github.event.pull_request.head.repo.fork != true }}
       with:
         tags: '${{ needs.define-tags.outputs.base_tags }},step:build-artifacts'
-        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_api_key: ${{ steps.dd-sts.outputs.api_key }}
 
     - name: Install build frontend
       run: python -m pip install --upgrade build
@@ -89,6 +97,9 @@ jobs:
     - define-tags
     - python-artifacts
     runs-on: ${{ matrix.job.os }}
+    permissions:
+      # needed for dd-sts
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -133,12 +144,18 @@ jobs:
       with:
         fetch-depth: 0
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key
+
     - name: Tag Job
       uses: ./.github/actions/tag-job
       if: ${{ github.event.pull_request.head.repo.fork != true }}
       with:
         tags: '${{ needs.define-tags.outputs.base_tags }},step:build-binary,os:${{ matrix.job.os }},target:${{ matrix.job.target }}'
-        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_api_key: ${{ steps.dd-sts.outputs.api_key }}
 
     - name: Fetch PyApp
       run: >-
@@ -303,20 +320,27 @@ jobs:
     - define-tags
     - binaries
     runs-on: windows-2022
-
+    permissions:
+      # needed for dd-sts
+      id-token: write
     env:
       VERSION: ${{ needs.binaries.outputs.version }}
 
     steps:
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key 
 
     - name: Tag Job
       uses: ./.github/actions/tag-job
       if: ${{ github.event.pull_request.head.repo.fork != true }}
       with:
         tags: '${{ needs.define-tags.outputs.base_tags }},step:package-windows,os:windows'
-        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_api_key: ${{ steps.dd-sts.outputs.api_key }}
 
     - name: Set up Python ${{ env.PYTHON_VERSION }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -418,20 +442,28 @@ jobs:
     - define-tags
     - binaries
     runs-on: macos-14-large
-
+    permissions:
+      # needed for dd-sts
+      id-token: write
     env:
       VERSION: ${{ needs.binaries.outputs.version }}
 
     steps:
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key
+
     - name: Tag Job
       uses: ./.github/actions/tag-job
       if: ${{ github.event.pull_request.head.repo.fork != true }}
       with:
         tags: '${{ needs.define-tags.outputs.base_tags }},step:package-macos,os:macos'
-        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_api_key: ${{ steps.dd-sts.outputs.api_key }}
 
     - name: Set up Python ${{ env.PYTHON_VERSION }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
@@ -659,12 +691,18 @@ jobs:
     - name: Checkout code
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key
+
     - name: Tag Job
       uses: ./.github/actions/tag-job
       if: ${{ github.event.pull_request.head.repo.fork != true }}
       with:
         tags: '${{ needs.define-tags.outputs.base_tags }},step:publish'
-        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_api_key: ${{ steps.dd-sts.outputs.api_key }}
 
     - name: Download Python artifacts
       uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0

.github/workflows/config/labeler.yml

@@ -206,6 +206,10 @@ integration/bluecat_edge:
 - changed-files:
   - any-glob-to-any-file:
     - bluecat_edge/**/*
+integration/bluecat_integrity:
+- changed-files:
+  - any-glob-to-any-file:
+    - bluecat_integrity/**/*
 integration/boundary:
 - changed-files:
   - any-glob-to-any-file:

.github/workflows/datadog-static-analysis.yml

@@ -4,20 +4,26 @@ name: Datadog Static Analysis
 
 jobs:
   static-analysis:
+    permissions:
+      # needed for dd-sts
+      id-token: write
     # Dependabot PRs don't have access to the required secrets
     if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-latest
     name: Datadog Static Analyzer
     steps:
     - name: Checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core
     - name: Check code meets quality and security standards
       id: datadog-static-analysis
       uses: DataDog/datadog-static-analyzer-github-action@c0e10d1c37e5b306b85e5bcf29b06bb233a71dc8 # v3.0.0
       with:
-        dd_api_key: ${{ secrets.DD_API_KEY }}
-        dd_app_key: ${{ secrets.DD_STATIC_ANALYSIS_APP_KEY }}
-        dd_service: integration-core
-        dd_env: ci
+        dd_api_key: ${{ steps.dd-sts.outputs.api_key }}
+        dd_app_key: ${{ steps.dd-sts.outputs.app_key }}
         dd_site: datadoghq.com
         cpu_count: 2

.github/workflows/measure-disk-usage.yml

@@ -16,6 +16,8 @@ jobs:
     permissions:
         contents: read
         actions: read
+        # needed for dd-sts
+        id-token: write
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
@@ -26,6 +28,12 @@ jobs:
       with:
         python-version: ${{ env.PYTHON_VERSION }}
 
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key
+
     - name: Install ddev
       run: |
         pip install -e ./datadog_checks_dev[cli]
@@ -45,7 +53,7 @@ jobs:
         cmd="ddev -v size status --commit \"$HEAD_SHA\" --format json"
 
         if [ "$EVENT_NAME" = "push" ] && [ "$HEAD_BRANCH" = "master" ]; then 
-          cmd="$cmd --to-dd-key ${{ secrets.DD_API_KEY }}"
+          cmd="$cmd --to-dd-key ${{ steps.dd-sts.outputs.api_key }}"
         fi
         echo "cmd=$cmd" >> $GITHUB_OUTPUT
 

.github/workflows/test-fips-e2e.yml

@@ -43,7 +43,7 @@ jobs:
       DD_TRACE_ANALYTICS_ENABLED: "true"
 
     permissions:
-       # needed for codecov in test-target.yml, allows the action to get a JWT signed by Github
+       # needed for dd-sts and codecov in test-target.yml, allows the action to get a JWT signed by Github
        id-token: write
        # needed for compute-matrix in test-target.yml
        contents: read
@@ -79,6 +79,11 @@ jobs:
           )}}
         restore-keys: |-
           v01-python-${{ env.pythonLocation }}
+    - name: Get Datadog credentials
+      id: dd-sts
+      uses: DataDog/dd-sts-action@2e8187910199bd93129520183c093e19aa585c75 # v1.0.0
+      with:
+        policy: integrations-core-api-key
 
     - name: Install ddev from local folder
       run: |-
@@ -105,14 +110,14 @@ jobs:
     - name: Run E2E tests with FIPS disabled
       env:
         DDEV_E2E_AGENT: "${{ inputs.agent-image || 'registry.datadoghq.com/agent-dev:master-py3' }}"
-        DD_API_KEY: "${{ secrets.DD_API_KEY }}"
+        DD_API_KEY: "${{ steps.dd-sts.outputs.api_key }}"
       run: |
         ddev env test --base --new-env --junit ${{ inputs.target || 'tls' }} -- all -m "fips_off"
 
     - name: Run E2E tests with FIPS enabled
       env:
         DDEV_E2E_AGENT: "${{ inputs.agent-image-fips || 'registry.datadoghq.com/agent-dev:master-fips' }}" 
-        DD_API_KEY: "${{ secrets.DD_API_KEY }}"
+        DD_API_KEY: "${{ steps.dd-sts.outputs.api_key }}"
       run: |
         ddev env test --base --new-env --junit ${{ inputs.target || 'tls' }} -- all -k "fips_on"
 

.gitlab/software_composition_analysis.yaml

@@ -4,17 +4,29 @@ datadog-sca-ci:
   tags: ["arch:amd64"]
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/datadog-static-analyzer:2024031801
   when: always
-  # We don't want to disrupt the pipeline so let's fail silently.
+  # We don’t want to disrupt the pipeline so let’s fail silently.
   allow_failure: true
   # This specifies the job does not have any dependency, meaning it can start as soon as it can.
   needs: []
+  id_tokens:
+    DD_STS_OIDC_TOKEN:
+      aud: rapid-seceng-sit
   script:
-    # Disabling tracing to avoid leaking secrets.
-    # See https://www.gnu.org/software/bash/manual/bash.html#The-Set-Builtin:
-    # "Using ‘+’ rather than ‘-’ causes these options to be turned off"
-    - set +o xtrace
-    - export DD_API_KEY=$(aws ssm get-parameter --region us-east-1 --name "ci.integrations-core.datadog_api_key_org2" --with-decryption --query "Parameter.Value" --out text)
-    - export DD_APP_KEY=$(aws ssm get-parameter --region us-east-1 --name "ci.integrations-core.datadog_app_key_org2" --with-decryption --query "Parameter.Value" --out text)
-    - set -o xtrace
+    - |
+      set +o xtrace
+      DD_STS_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+        -H "Authorization: Bearer ${DD_STS_OIDC_TOKEN}" \
+        "https://dd-sts.us1.ddbuild.io/sts/datadog/exchange?policy=integrations-core-gitlab")
+      HTTP_CODE=$(echo "$DD_STS_RESPONSE" | tail -n1)
+      RESPONSE_BODY=$(echo "$DD_STS_RESPONSE" | head -n -1)
+      if [ "$HTTP_CODE" -ge 200 ] && [ "$HTTP_CODE" -lt 300 ]; then
+        echo "STS token exchange successful"
+      else
+        echo "ERROR: STS token exchange failed (HTTP ${HTTP_CODE}): $RESPONSE_BODY"
+        exit 1
+      fi
+      export DD_API_KEY=$(echo "$RESPONSE_BODY" | jq -re ".api_key")
+      export DD_APP_KEY=$(echo "$RESPONSE_BODY" | jq -re ".application_key")
+      set -o xtrace
     - osv-scanner --skip-git --recursive --experimental-only-packages --format=cyclonedx-1-4 --output=/tmp/sbom.json .
     - datadog-ci sbom upload --service integrations-core --env ci /tmp/sbom.json

bluecat_integrity/CHANGELOG.md

@@ -0,0 +1,7 @@
+# CHANGELOG - BlueCat Integrity
+
+## 1.0.0 / 2026-02-18
+
+***Added***:
+
+* Initial Release

bluecat_integrity/README.md

@@ -0,0 +1,73 @@
+# BlueCat Integrity
+
+## Overview
+
+[BlueCat Integrity][1] is a centralized DDI platform that automates and secures enterprise network infrastructure management.
+
+Integrate BlueCat Integrity with Datadog's pre-built dashboard visualizations to gain insights into DNS and DHCP activity events. With Datadog's built-in log pipelines, you can parse and enrich these logs to facilitate easy search and detailed insights. Additionally, this integration includes ready-to-use Cloud SIEM detection rules for enhanced monitoring and security.
+
+## Setup
+
+### Configuration
+
+#### Webhook Configuration
+
+Configure the Datadog endpoint to forward BlueCat Integrity DHCP activity events as logs to Datadog.
+
+1. On the Datadog [BlueCat Integrity][2] tile, on the **Configuration** tab, copy the generated webhook URL.
+2. Sign in to the BlueCat Integrity Portal.
+3. Click the **Servers** tab in the sidebar, then choose **Servers**.
+4. From the list, click the name of the server to configure the log collection.
+5. Open the **Services** tab.
+6. Under **Monitoring and analytics**, locate the **DHCP activity service** panel and click **Edit service**.
+7. Under **General**, set the following parameters:
+   - **Enabled**: Select this check box to enable DHCP activity service.
+   - **DHCPv4 enabled**: Select this check box to collect DHCPv4 activity events.
+   - **DHCPv6 enabled**: Select this check box to collect DHCPv6 activity events.
+8. On the **Destination tab**, set the following parameters:
+   - **Sink type**: Select HTTP.
+   - After you select HTTP, the **Output URI** field appears. Enter the webhook URL you copied in step 1.
+9. On the **Certificate** tab, under **CA certificate**, export the public SSL certificate for *.datadoghq.com from your browser's certificate viewer (the certificate presented when accessing Datadog over HTTPS) and upload it here.
+10. Click **Save**.
+11. Perform steps 5-10 on every server you want to collect logs from.
+
+
+Configure the Datadog endpoint to forward BlueCat Integrity DNS activity events as logs to Datadog.
+
+1. On the Datadog [BlueCat Integrity][2] tile, on the **Configuration** tab, copy the generated webhook URL.
+2. Sign in to the BlueCat Integrity Portal.
+3. Click the **Servers** tab in the sidebar, then choose **Servers**.
+4. From the list, click the name of the server to configure the log collection.
+5. Open the **Services** tab.
+6. Under **Monitoring and analytics**, locate the **DNS activity service** panel and click **Edit service**.
+7. Under **General**, set the following parameters:
+   - **Enabled**: Select this check box to enable the service.
+8. On the **Destination tab**, set the following parameters:
+   - **Sink type**: Select HTTP.
+   - After you select HTTP, the **Output URI** field appears. Enter the webhook URL you copied in step 1.
+9. On the **Certificate** tab, under **CA certificate**, export the public SSL certificate for *.datadoghq.com from your browser's certificate viewer (the certificate presented when accessing Datadog over HTTPS) and upload it here.
+10. Click **Save**.
+11. Perform steps 5-10 on every server you want to collect logs from.
+
+
+## Data Collected
+
+### Logs
+
+The BlueCat Integrity integration collects DHCP and DNS activity events.
+
+### Metrics
+
+The BlueCat Integrity integration does not include any metrics.
+
+### Events
+
+The BlueCat Integrity integration does not include any events.
+
+## Support
+
+For further assistance, contact [Datadog support][3].
+
+[1]: https://bluecatnetworks.com/products/integrity/
+[2]: /integrations/bluecat-integrity
+[3]: https://docs.datadoghq.com/help/