Add SDS rule should_save_match field (#2623)

api-clients-generation-pipeline[bot] · ci.datadog-api-spec · web-flow · commit cd10176e6a72 · 2025-08-27T15:50:08.000Z
Co-authored-by: ci.datadog-api-spec &lt;packages@datadoghq.com&gt;
diff --git a/.generated-info b/.generated-info
@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "98e3371",
-  "generated": "2025-08-27 08:45:02.412"
+  "spec_repo_commit": "62a19e4",
+  "generated": "2025-08-27 15:01:20.504"
 }
diff --git a/.generator/schemas/v2/openapi.yaml b/.generator/schemas/v2/openapi.yaml
@@ -39445,6 +39445,12 @@ components:
         replacement_string:
           description: Required if type == 'replacement_string'.
           type: string
+        should_save_match:
+          description: "Only valid when type == `replacement_string`. When enabled,
+            matches can be unmasked in logs by users with \u2018Data Scanner Unmask\u2019
+            permission. As a security best practice, avoid masking for highly-sensitive,
+            long-lived data."
+          type: boolean
         type:
           $ref: '#/components/schemas/SensitiveDataScannerTextReplacementType'
       type: object
diff --git a/cassettes/features/v2/sensitive_data_scanner/Create-Scanning-Rule-with-should-save-match-returns-OK-response.frozen b/cassettes/features/v2/sensitive_data_scanner/Create-Scanning-Rule-with-should-save-match-returns-OK-response.frozen
@@ -0,0 +1 @@
+2025-08-26T20:31:44.042Z
diff --git a/cassettes/features/v2/sensitive_data_scanner/Create-Scanning-Rule-with-should-save-match-returns-OK-response.yml b/cassettes/features/v2/sensitive_data_scanner/Create-Scanning-Rule-with-should-save-match-returns-OK-response.yml
diff --git a/examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.rb b/examples/v2/sensitive-data-scanner/CreateScanningRule_502667299.rb
@@ -0,0 +1,37 @@
+# Create Scanning Rule with should_save_match returns "OK" response
+
+require "datadog_api_client"
+api_instance = DatadogAPIClient::V2::SensitiveDataScannerAPI.new
+
+# there is a valid "scanning_group" in the system
+GROUP_DATA_ID = ENV["GROUP_DATA_ID"]
+
+body = DatadogAPIClient::V2::SensitiveDataScannerRuleCreateRequest.new({
+  meta: DatadogAPIClient::V2::SensitiveDataScannerMetaVersionOnly.new({}),
+  data: DatadogAPIClient::V2::SensitiveDataScannerRuleCreate.new({
+    type: DatadogAPIClient::V2::SensitiveDataScannerRuleType::SENSITIVE_DATA_SCANNER_RULE,
+    attributes: DatadogAPIClient::V2::SensitiveDataScannerRuleAttributes.new({
+      name: "Example-Sensitive-Data-Scanner",
+      pattern: "pattern",
+      text_replacement: DatadogAPIClient::V2::SensitiveDataScannerTextReplacement.new({
+        type: DatadogAPIClient::V2::SensitiveDataScannerTextReplacementType::REPLACEMENT_STRING,
+        replacement_string: "REDACTED",
+        should_save_match: true,
+      }),
+      tags: [
+        "sensitive_data:true",
+      ],
+      is_enabled: true,
+      priority: 1,
+    }),
+    relationships: DatadogAPIClient::V2::SensitiveDataScannerRuleRelationships.new({
+      group: DatadogAPIClient::V2::SensitiveDataScannerGroupData.new({
+        data: DatadogAPIClient::V2::SensitiveDataScannerGroup.new({
+          type: DatadogAPIClient::V2::SensitiveDataScannerGroupType::SENSITIVE_DATA_SCANNER_GROUP,
+          id: GROUP_DATA_ID,
+        }),
+      }),
+    }),
+  }),
+})
+p api_instance.create_scanning_rule(body)
diff --git a/features/v2/sensitive_data_scanner.feature b/features/v2/sensitive_data_scanner.feature
@@ -50,6 +50,17 @@ Feature: Sensitive Data Scanner
     And the response "data.attributes.included_keyword_configuration.character_count" is equal to 35
     And the response "data.attributes.included_keyword_configuration.keywords[0]" is equal to "credit card"
 
+  @team:DataDog/sensitive-data-scanner
+  Scenario: Create Scanning Rule with should_save_match returns "OK" response
+    Given a valid "configuration" in the system
+    And there is a valid "scanning_group" in the system
+    And new "CreateScanningRule" request
+    And body with value {"meta":{},"data":{"type":"sensitive_data_scanner_rule","attributes":{"name":"{{ unique }}","pattern":"pattern","text_replacement":{"type":"replacement_string","replacement_string":"REDACTED","should_save_match":true},"tags":["sensitive_data:true"],"is_enabled":true,"priority":1},"relationships":{"group":{"data":{"type":"{{ group.data.type }}","id":"{{ group.data.id }}"}}}}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "data.type" is equal to "sensitive_data_scanner_rule"
+    And the response "data.attributes.name" is equal to "{{ unique }}"
+
   @generated @skip @team:DataDog/sensitive-data-scanner
   Scenario: Delete Scanning Group returns "Bad Request" response
     Given new "DeleteScanningGroup" request
diff --git a/lib/datadog_api_client/v2/models/sensitive_data_scanner_text_replacement.rb b/lib/datadog_api_client/v2/models/sensitive_data_scanner_text_replacement.rb
@@ -28,6 +28,9 @@ class SensitiveDataScannerTextReplacement
     # Required if type == 'replacement_string'.
     attr_accessor :replacement_string
 
+    # Only valid when type == `replacement_string`. When enabled, matches can be unmasked in logs by users with ‘Data Scanner Unmask’ permission. As a security best practice, avoid masking for highly-sensitive, long-lived data.
+    attr_accessor :should_save_match
+
     # Type of the replacement text. None means no replacement.
     # hash means the data will be stubbed. replacement_string means that
     # one can chose a text to replace the data. partial_replacement_from_beginning
@@ -44,6 +47,7 @@ def self.attribute_map
       {
         :'number_of_chars' => :'number_of_chars',
         :'replacement_string' => :'replacement_string',
+        :'should_save_match' => :'should_save_match',
         :'type' => :'type'
       }
     end
@@ -54,6 +58,7 @@ def self.openapi_types
       {
         :'number_of_chars' => :'Integer',
         :'replacement_string' => :'String',
+        :'should_save_match' => :'Boolean',
         :'type' => :'SensitiveDataScannerTextReplacementType'
       }
     end
@@ -84,6 +89,10 @@ def initialize(attributes = {})
         self.replacement_string = attributes[:'replacement_string']
       end
 
+      if attributes.key?(:'should_save_match')
+        self.should_save_match = attributes[:'should_save_match']
+      end
+
       if attributes.key?(:'type')
         self.type = attributes[:'type']
       end
@@ -135,6 +144,7 @@ def ==(o)
       self.class == o.class &&
           number_of_chars == o.number_of_chars &&
           replacement_string == o.replacement_string &&
+          should_save_match == o.should_save_match &&
           type == o.type &&
           additional_properties == o.additional_properties
     end
@@ -143,7 +153,7 @@ def ==(o)
     # @return [Integer] Hash code
     # @!visibility private
     def hash
-      [number_of_chars, replacement_string, type, additional_properties].hash
+      [number_of_chars, replacement_string, should_save_match, type, additional_properties].hash
     end
   end
 end

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`		`- "spec_repo_commit": "98e3371",`
`3`		`- "generated": "2025-08-27 08:45:02.412"`
	`2`	`+ "spec_repo_commit": "62a19e4",`
	`3`	`+ "generated": "2025-08-27 15:01:20.504"`
`4`	`4`	`}`