Security notifications - Add SAST and secret rule types (#3953)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit 63b8bee511b5 · 2026-04-16T19:09:56.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -57796,7 +57796,8 @@ components:
         Signal-based notification rules can filter signals based on rule types application_security, log_detection,
         workload_security, signal_correlation, cloud_configuration and infrastructure_configuration.
         Vulnerability-based notification rules can filter vulnerabilities based on rule types application_code_vulnerability,
-        application_library_vulnerability, attack_path, container_image_vulnerability, identity_risk, misconfiguration, api_security, host_vulnerability and iac_misconfiguration.
+        application_library_vulnerability, attack_path, container_image_vulnerability, identity_risk, misconfiguration,
+        api_security, host_vulnerability, iac_misconfiguration, sast_vulnerability and secret_vulnerability.
       enum:
         - application_security
         - log_detection
@@ -57813,6 +57814,8 @@ components:
         - api_security
         - host_vulnerability
         - iac_misconfiguration
+        - sast_vulnerability
+        - secret_vulnerability
       type: string
       x-enum-varnames:
         - APPLICATION_SECURITY
@@ -57830,6 +57833,8 @@ components:
         - API_SECURITY
         - HOST_VULNERABILITY
         - IAC_MISCONFIGURATION
+        - SAST_VULNERABILITY
+        - SECRET_VULNERABILITY
     RuleUser:
       description: User creating or modifying a rule.
       properties:
diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-new-vulnerability-based-notification-rule-with-sast-and-secret-rule-types-return_1041700713/frozen.json b/cassettes/v2/Security-Monitoring_1187227211/Create-a-new-vulnerability-based-notification-rule-with-sast-and-secret-rule-types-return_1041700713/frozen.json
@@ -0,0 +1 @@
+"2026-04-16T13:47:18.057Z"
diff --git a/cassettes/v2/Security-Monitoring_1187227211/Create-a-new-vulnerability-based-notification-rule-with-sast-and-secret-rule-types-return_1041700713/recording.har b/cassettes/v2/Security-Monitoring_1187227211/Create-a-new-vulnerability-based-notification-rule-with-sast-and-secret-rule-types-return_1041700713/recording.har
@@ -0,0 +1,104 @@
+{
+  "log": {
+    "_recordingName": "Security Monitoring/Create a new vulnerability-based notification rule with sast and secret rule types returns \"Successfully created the notification rule.\" response",
+    "creator": {
+      "comment": "persister:fs",
+      "name": "Polly.JS",
+      "version": "6.0.5"
+    },
+    "entries": [
+      {
+        "_id": "c063ba4707a314ad0932fc744f457fd5",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 439,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "application/json"
+            },
+            {
+              "_fromType": "array",
+              "name": "content-type",
+              "value": "application/json"
+            }
+          ],
+          "headersSize": 613,
+          "httpVersion": "HTTP/1.1",
+          "method": "POST",
+          "postData": {
+            "mimeType": "application/json",
+            "params": [],
+            "text": "{\"data\":{\"attributes\":{\"enabled\":true,\"name\":\"Test-Create_a_new_vulnerability_based_notification_rule_with_sast_and_secret_rule_types_returns_Successfu-1776347238\",\"selectors\":{\"query\":\"(source:production_service OR env:prod)\",\"rule_types\":[\"sast_vulnerability\",\"secret_vulnerability\"],\"severities\":[\"critical\"],\"trigger_source\":\"security_findings\"},\"targets\":[\"@john.doe@email.com\"],\"time_aggregation\":86400},\"type\":\"notification_rules\"}}"
+          },
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules"
+        },
+        "response": {
+          "bodySize": 692,
+          "content": {
+            "mimeType": "application/vnd.api+json",
+            "size": 692,
+            "text": "{\"data\":{\"id\":\"exz-ipg-n1m\",\"type\":\"notification_rules\",\"attributes\":{\"created_at\":1776347239287,\"created_by\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"enabled\":true,\"modified_at\":1776347239287,\"modified_by\":{\"name\":\"CI Account\",\"handle\":\"9919ec9b-ebc7-49ee-8dc8-03626e717cca\"},\"name\":\"Test-Create_a_new_vulnerability_based_notification_rule_with_sast_and_secret_rule_types_returns_Successfu-1776347238\",\"selectors\":{\"severities\":[\"critical\"],\"rule_types\":[\"sast_vulnerability\",\"secret_vulnerability\"],\"query\":\"(source:production_service OR env:prod)\",\"trigger_source\":\"security_findings\"},\"targets\":[\"@john.doe@email.com\"],\"time_aggregation\":86400,\"version\":1}}}"
+          },
+          "cookies": [],
+          "headers": [
+            {
+              "name": "content-type",
+              "value": "application/vnd.api+json"
+            }
+          ],
+          "headersSize": 662,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 201,
+          "statusText": "Created"
+        },
+        "startedDateTime": "2026-04-16T13:47:19.126Z",
+        "time": 203
+      },
+      {
+        "_id": "9dbd8db3f734efcbf0da5e234a383dd7",
+        "_order": 0,
+        "cache": {},
+        "request": {
+          "bodySize": 0,
+          "cookies": [],
+          "headers": [
+            {
+              "_fromType": "array",
+              "name": "accept",
+              "value": "*/*"
+            }
+          ],
+          "headersSize": 561,
+          "httpVersion": "HTTP/1.1",
+          "method": "DELETE",
+          "queryString": [],
+          "url": "https://api.datadoghq.com/api/v2/security/vulnerabilities/notification_rules/exz-ipg-n1m"
+        },
+        "response": {
+          "bodySize": 0,
+          "content": {
+            "mimeType": "text/plain",
+            "size": 0
+          },
+          "cookies": [],
+          "headers": [],
+          "headersSize": 601,
+          "httpVersion": "HTTP/1.1",
+          "redirectURL": "",
+          "status": 204,
+          "statusText": "No Content"
+        },
+        "startedDateTime": "2026-04-16T13:47:19.349Z",
+        "time": 93
+      }
+    ],
+    "pages": [],
+    "version": "1.2"
+  }
+}
diff --git a/features/v2/security_monitoring.feature b/features/v2/security_monitoring.feature
@@ -591,6 +591,13 @@ Feature: Security Monitoring
     When the request is sent
     Then the response status is 201 Successfully created the notification rule.
 
+  @team:DataDog/cloud-security-posture-management
+  Scenario: Create a new vulnerability-based notification rule with sast and secret rule types returns "Successfully created the notification rule." response
+    Given new "CreateVulnerabilityNotificationRule" request
+    And body with value {"data": {"attributes": {"enabled": true, "name": "{{ unique }}", "selectors": {"query": "(source:production_service OR env:prod)", "rule_types": ["sast_vulnerability", "secret_vulnerability"], "severities": ["critical"], "trigger_source": "security_findings"}, "targets": ["@john.doe@email.com"], "time_aggregation": 86400}, "type": "notification_rules"}}
+    When the request is sent
+    Then the response status is 201 Successfully created the notification rule.
+
   @team:DataDog/k9-cloud-siem
   Scenario: Create a scheduled detection rule returns "OK" response
     Given new "CreateSecurityMonitoringRule" request
diff --git a/services/security_monitoring/src/v2/models/RuleTypesItems.ts b/services/security_monitoring/src/v2/models/RuleTypesItems.ts
@@ -5,7 +5,8 @@ import { UnparsedObject } from "@datadog/datadog-api-client";
  * Signal-based notification rules can filter signals based on rule types application_security, log_detection,
  * workload_security, signal_correlation, cloud_configuration and infrastructure_configuration.
  * Vulnerability-based notification rules can filter vulnerabilities based on rule types application_code_vulnerability,
- * application_library_vulnerability, attack_path, container_image_vulnerability, identity_risk, misconfiguration, api_security, host_vulnerability and iac_misconfiguration.
+ * application_library_vulnerability, attack_path, container_image_vulnerability, identity_risk, misconfiguration,
+ * api_security, host_vulnerability, iac_misconfiguration, sast_vulnerability and secret_vulnerability.
  */
 export type RuleTypesItems =
   | typeof APPLICATION_SECURITY
@@ -23,6 +24,8 @@ export type RuleTypesItems =
   | typeof API_SECURITY
   | typeof HOST_VULNERABILITY
   | typeof IAC_MISCONFIGURATION
+  | typeof SAST_VULNERABILITY
+  | typeof SECRET_VULNERABILITY
   | UnparsedObject;
 export const APPLICATION_SECURITY = "application_security";
 export const LOG_DETECTION = "log_detection";
@@ -40,3 +43,5 @@ export const MISCONFIGURATION = "misconfiguration";
 export const API_SECURITY = "api_security";
 export const HOST_VULNERABILITY = "host_vulnerability";
 export const IAC_MISCONFIGURATION = "iac_misconfiguration";
+export const SAST_VULNERABILITY = "sast_vulnerability";
+export const SECRET_VULNERABILITY = "secret_vulnerability";
diff --git a/services/security_monitoring/src/v2/models/TypingInfo.ts b/services/security_monitoring/src/v2/models/TypingInfo.ts
@@ -388,6 +388,8 @@ export const TypingInfo: ModelTypingInfo = {
       "api_security",
       "host_vulnerability",
       "iac_misconfiguration",
+      "sast_vulnerability",
+      "secret_vulnerability",
     ],
     RunThreatHuntingJobRequestDataType: ["historicalDetectionsJobCreate"],
     SBOMComponentLicenseType: [
