Add SDS rule should_save_match field (#3305)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit b6d300247f03 · 2025-08-27T15:50:03.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generated-info b/.generated-info
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "98e3371",
-  "generated": "2025-08-27 08:46:47.876"
+  "spec_repo_commit": "62a19e4",
+  "generated": "2025-08-27 15:03:04.000"
 }
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -39445,6 +39445,12 @@ components:
         replacement_string:
           description: Required if type == 'replacement_string'.
           type: string
+        should_save_match:
+          description: "Only valid when type == `replacement_string`. When enabled,
+            matches can be unmasked in logs by users with \u2018Data Scanner Unmask\u2019
+            permission. As a security best practice, avoid masking for highly-sensitive,
+            long-lived data."
+          type: boolean
         type:
           $ref: '#/components/schemas/SensitiveDataScannerTextReplacementType'
       type: object
diff --git a/api/datadogV2/model_sensitive_data_scanner_text_replacement.go b/api/datadogV2/model_sensitive_data_scanner_text_replacement.go
@@ -15,6 +15,8 @@ type SensitiveDataScannerTextReplacement struct {
 	NumberOfChars *int64 `json:"number_of_chars,omitempty"`
 	// Required if type == 'replacement_string'.
 	ReplacementString *string `json:"replacement_string,omitempty"`
+	// Only valid when type == `replacement_string`. When enabled, matches can be unmasked in logs by users with ‘Data Scanner Unmask’ permission. As a security best practice, avoid masking for highly-sensitive, long-lived data.
+	ShouldSaveMatch *bool `json:"should_save_match,omitempty"`
 	// Type of the replacement text. None means no replacement.
 	// hash means the data will be stubbed. replacement_string means that
 	// one can chose a text to replace the data. partial_replacement_from_beginning
@@ -104,6 +106,34 @@ func (o *SensitiveDataScannerTextReplacement) SetReplacementString(v string) {
 	o.ReplacementString = &v
 }
 
+// GetShouldSaveMatch returns the ShouldSaveMatch field value if set, zero value otherwise.
+func (o *SensitiveDataScannerTextReplacement) GetShouldSaveMatch() bool {
+	if o == nil || o.ShouldSaveMatch == nil {
+		var ret bool
+		return ret
+	}
+	return *o.ShouldSaveMatch
+}
+
+// GetShouldSaveMatchOk returns a tuple with the ShouldSaveMatch field value if set, nil otherwise
+// and a boolean to check if the value has been set.
+func (o *SensitiveDataScannerTextReplacement) GetShouldSaveMatchOk() (*bool, bool) {
+	if o == nil || o.ShouldSaveMatch == nil {
+		return nil, false
+	}
+	return o.ShouldSaveMatch, true
+}
+
+// HasShouldSaveMatch returns a boolean if a field has been set.
+func (o *SensitiveDataScannerTextReplacement) HasShouldSaveMatch() bool {
+	return o != nil && o.ShouldSaveMatch != nil
+}
+
+// SetShouldSaveMatch gets a reference to the given bool and assigns it to the ShouldSaveMatch field.
+func (o *SensitiveDataScannerTextReplacement) SetShouldSaveMatch(v bool) {
+	o.ShouldSaveMatch = &v
+}
+
 // GetType returns the Type field value if set, zero value otherwise.
 func (o *SensitiveDataScannerTextReplacement) GetType() SensitiveDataScannerTextReplacementType {
 	if o == nil || o.Type == nil {
@@ -144,6 +174,9 @@ func (o SensitiveDataScannerTextReplacement) MarshalJSON() ([]byte, error) {
 	if o.ReplacementString != nil {
 		toSerialize["replacement_string"] = o.ReplacementString
 	}
+	if o.ShouldSaveMatch != nil {
+		toSerialize["should_save_match"] = o.ShouldSaveMatch
+	}
 	if o.Type != nil {
 		toSerialize["type"] = o.Type
 	}
@@ -159,21 +192,23 @@ func (o *SensitiveDataScannerTextReplacement) UnmarshalJSON(bytes []byte) (err e
 	all := struct {
 		NumberOfChars     *int64                                   `json:"number_of_chars,omitempty"`
 		ReplacementString *string                                  `json:"replacement_string,omitempty"`
+		ShouldSaveMatch   *bool                                    `json:"should_save_match,omitempty"`
 		Type              *SensitiveDataScannerTextReplacementType `json:"type,omitempty"`
 	}{}
 	if err = datadog.Unmarshal(bytes, &all); err != nil {
 		return datadog.Unmarshal(bytes, &o.UnparsedObject)
 	}
 	additionalProperties := make(map[string]interface{})
 	if err = datadog.Unmarshal(bytes, &additionalProperties); err == nil {
-		datadog.DeleteKeys(additionalProperties, &[]string{"number_of_chars", "replacement_string", "type"})
+		datadog.DeleteKeys(additionalProperties, &[]string{"number_of_chars", "replacement_string", "should_save_match", "type"})
 	} else {
 		return err
 	}
 
 	hasInvalidField := false
 	o.NumberOfChars = all.NumberOfChars
 	o.ReplacementString = all.ReplacementString
+	o.ShouldSaveMatch = all.ShouldSaveMatch
 	if all.Type != nil && !all.Type.IsValid() {
 		hasInvalidField = true
 	} else {
diff --git a/examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.go b/examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.go
@@ -0,0 +1,60 @@
+// Create Scanning Rule with should_save_match returns "OK" response
+
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadog"
+	"github.com/DataDog/datadog-api-client-go/v2/api/datadogV2"
+)
+
+func main() {
+	// there is a valid "scanning_group" in the system
+	GroupDataID := os.Getenv("GROUP_DATA_ID")
+
+	body := datadogV2.SensitiveDataScannerRuleCreateRequest{
+		Meta: datadogV2.SensitiveDataScannerMetaVersionOnly{},
+		Data: datadogV2.SensitiveDataScannerRuleCreate{
+			Type: datadogV2.SENSITIVEDATASCANNERRULETYPE_SENSITIVE_DATA_SCANNER_RULE,
+			Attributes: datadogV2.SensitiveDataScannerRuleAttributes{
+				Name:    datadog.PtrString("Example-Sensitive-Data-Scanner"),
+				Pattern: datadog.PtrString("pattern"),
+				TextReplacement: &datadogV2.SensitiveDataScannerTextReplacement{
+					Type:              datadogV2.SENSITIVEDATASCANNERTEXTREPLACEMENTTYPE_REPLACEMENT_STRING.Ptr(),
+					ReplacementString: datadog.PtrString("REDACTED"),
+					ShouldSaveMatch:   datadog.PtrBool(true),
+				},
+				Tags: []string{
+					"sensitive_data:true",
+				},
+				IsEnabled: datadog.PtrBool(true),
+				Priority:  datadog.PtrInt64(1),
+			},
+			Relationships: datadogV2.SensitiveDataScannerRuleRelationships{
+				Group: &datadogV2.SensitiveDataScannerGroupData{
+					Data: &datadogV2.SensitiveDataScannerGroup{
+						Type: datadogV2.SENSITIVEDATASCANNERGROUPTYPE_SENSITIVE_DATA_SCANNER_GROUP.Ptr(),
+						Id:   datadog.PtrString(GroupDataID),
+					},
+				},
+			},
+		},
+	}
+	ctx := datadog.NewDefaultContext(context.Background())
+	configuration := datadog.NewConfiguration()
+	apiClient := datadog.NewAPIClient(configuration)
+	api := datadogV2.NewSensitiveDataScannerApi(apiClient)
+	resp, r, err := api.CreateScanningRule(ctx, body)
+
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error when calling `SensitiveDataScannerApi.CreateScanningRule`: %v\n", err)
+		fmt.Fprintf(os.Stderr, "Full HTTP response: %v\n", r)
+	}
+
+	responseContent, _ := json.MarshalIndent(resp, "", "  ")
+	fmt.Fprintf(os.Stdout, "Response from `SensitiveDataScannerApi.CreateScanningRule`:\n%s\n", responseContent)
+}
diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Sensitive_Data_Scanner/Scenario_Create_Scanning_Rule_with_should_save_match_returns_OK_response.freeze b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Sensitive_Data_Scanner/Scenario_Create_Scanning_Rule_with_should_save_match_returns_OK_response.freeze
@@ -0,0 +1 @@
+2025-08-26T20:31:44.042Z
diff --git a/tests/scenarios/cassettes/TestScenarios/v2/Feature_Sensitive_Data_Scanner/Scenario_Create_Scanning_Rule_with_should_save_match_returns_OK_response.yaml b/tests/scenarios/cassettes/TestScenarios/v2/Feature_Sensitive_Data_Scanner/Scenario_Create_Scanning_Rule_with_should_save_match_returns_OK_response.yaml
@@ -0,0 +1,109 @@
+interactions:
+- request:
+    body: ''
+    form: {}
+    headers:
+      Accept:
+      - application/json
+    id: 0
+    method: GET
+    url: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config
+  response:
+    body: '{"data":{"id":"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87","attributes":{},"type":"sensitive_data_scanner_configuration","relationships":{"groups":{"data":[]}}},"meta":{"version":275277,"count_limit":250,"group_count_limit":20,"is_pci_compliant":false,"has_highlight_enabled":true,"has_multi_pass_enabled":true,"has_cascading_enabled":false,"is_configuration_superseded":false,"is_float_sampling_rate_enabled":false,"min_sampling_rate":10.0}}
+
+      '
+    code: 200
+    duration: 0ms
+    headers:
+      Content-Type:
+      - application/json
+    status: 200 OK
+- request:
+    body: |
+      {"data":{"attributes":{"filter":{"query":"*"},"is_enabled":false,"name":"my-test-group","product_list":["logs"],"samplings":[{"product":"logs","rate":100}]},"relationships":{"configuration":{"data":{"id":"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87","type":"sensitive_data_scanner_configuration"}},"rules":{"data":[]}},"type":"sensitive_data_scanner_group"},"meta":{}}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    id: 1
+    method: POST
+    url: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups
+  response:
+    body: '{"data":{"id":"18cc2267-f3cc-4c15-917d-d3efb15deb03","attributes":{"name":"my-test-group","is_enabled":false,"filter":{"query":"*"},"product_list":["logs"],"samplings":[{"product":"logs","rate":100.0}]},"type":"sensitive_data_scanner_group","relationships":{"configuration":{"data":{"id":"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87","type":"sensitive_data_scanner_configuration"}},"rules":{"data":[]}}},"meta":{"version":275278}}
+
+      '
+    code: 200
+    duration: 0ms
+    headers:
+      Content-Type:
+      - application/json
+    status: 200 OK
+- request:
+    body: |
+      {"data":{"attributes":{"is_enabled":true,"name":"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304","pattern":"pattern","priority":1,"tags":["sensitive_data:true"],"text_replacement":{"replacement_string":"REDACTED","should_save_match":true,"type":"replacement_string"}},"relationships":{"group":{"data":{"id":"18cc2267-f3cc-4c15-917d-d3efb15deb03","type":"sensitive_data_scanner_group"}}},"type":"sensitive_data_scanner_rule"},"meta":{}}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    id: 2
+    method: POST
+    url: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules
+  response:
+    body: '{"data":{"id":"0e517b8a-04c1-4ae0-b57b-22b8e081190c","attributes":{"name":"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304","namespaces":[],"excluded_namespaces":[],"pattern":"pattern","text_replacement":{"replacement_string":"REDACTED","should_save_match":true,"type":"replacement_string"},"tags":["sensitive_data:true"],"labels":[],"is_enabled":true,"priority":1},"type":"sensitive_data_scanner_rule","relationships":{"group":{"data":{"id":"18cc2267-f3cc-4c15-917d-d3efb15deb03","type":"sensitive_data_scanner_group"}}}},"meta":{"version":275279}}
+
+      '
+    code: 200
+    duration: 0ms
+    headers:
+      Content-Type:
+      - application/json
+    status: 200 OK
+- request:
+    body: |
+      {"meta":{}}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    id: 3
+    method: DELETE
+    url: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules/0e517b8a-04c1-4ae0-b57b-22b8e081190c
+  response:
+    body: '{"meta":{"version":275280}}
+
+      '
+    code: 200
+    duration: 0ms
+    headers:
+      Content-Type:
+      - application/json
+    status: 200 OK
+- request:
+    body: |
+      {"meta":{}}
+    form: {}
+    headers:
+      Accept:
+      - application/json
+      Content-Type:
+      - application/json
+    id: 4
+    method: DELETE
+    url: https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups/18cc2267-f3cc-4c15-917d-d3efb15deb03
+  response:
+    body: '{"meta":{"version":275281}}
+
+      '
+    code: 200
+    duration: 0ms
+    headers:
+      Content-Type:
+      - application/json
+    status: 200 OK
+version: 2
diff --git a/tests/scenarios/features/v2/sensitive_data_scanner.feature b/tests/scenarios/features/v2/sensitive_data_scanner.feature
@@ -50,6 +50,17 @@ Feature: Sensitive Data Scanner
     And the response "data.attributes.included_keyword_configuration.character_count" is equal to 35
     And the response "data.attributes.included_keyword_configuration.keywords[0]" is equal to "credit card"
 
+  @team:DataDog/sensitive-data-scanner
+  Scenario: Create Scanning Rule with should_save_match returns "OK" response
+    Given a valid "configuration" in the system
+    And there is a valid "scanning_group" in the system
+    And new "CreateScanningRule" request
+    And body with value {"meta":{},"data":{"type":"sensitive_data_scanner_rule","attributes":{"name":"{{ unique }}","pattern":"pattern","text_replacement":{"type":"replacement_string","replacement_string":"REDACTED","should_save_match":true},"tags":["sensitive_data:true"],"is_enabled":true,"priority":1},"relationships":{"group":{"data":{"type":"{{ group.data.type }}","id":"{{ group.data.id }}"}}}}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "data.type" is equal to "sensitive_data_scanner_rule"
+    And the response "data.attributes.name" is equal to "{{ unique }}"
+
   @generated @skip @team:DataDog/sensitive-data-scanner
   Scenario: Delete Scanning Group returns "Bad Request" response
     Given new "DeleteScanningGroup" request

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "spec_repo_commit": "98e3371",`
`3`		`- "generated": "2025-08-27 08:46:47.876"`
	`2`	`+ "spec_repo_commit": "62a19e4",`
	`3`	`+ "generated": "2025-08-27 15:03:04.000"`
`4`	`4`	`}`