Add SDS rule should_save_match field (#872)

Co-authored-by: ci.datadog-api-spec <[email protected]>

Author: api-clients-generation-pipeline[bot]

.generated-info

@@ -1,4 +1,4 @@
 {
-  "spec_repo_commit": "98e3371",
-  "generated": "2025-08-27 08:50:12.332"
+  "spec_repo_commit": "62a19e4",
+  "generated": "2025-08-27 15:06:21.847"
 }

.generator/schemas/v2/openapi.yaml

@@ -39445,6 +39445,12 @@ components:
         replacement_string:
           description: Required if type == 'replacement_string'.
           type: string
+        should_save_match:
+          description: "Only valid when type == `replacement_string`. When enabled,
+            matches can be unmasked in logs by users with \u2018Data Scanner Unmask\u2019
+            permission. As a security best practice, avoid masking for highly-sensitive,
+            long-lived data."
+          type: boolean
         type:
           $ref: '#/components/schemas/SensitiveDataScannerTextReplacementType'
       type: object

examples/v2_sensitive-data-scanner_CreateScanningRule_502667299.rs

@@ -0,0 +1,53 @@
+// Create Scanning Rule with should_save_match returns "OK" response
+use datadog_api_client::datadog;
+use datadog_api_client::datadogV2::api_sensitive_data_scanner::SensitiveDataScannerAPI;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerGroup;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerGroupData;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerGroupType;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerMetaVersionOnly;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerRuleAttributes;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerRuleCreate;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerRuleCreateRequest;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerRuleRelationships;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerRuleType;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerTextReplacement;
+use datadog_api_client::datadogV2::model::SensitiveDataScannerTextReplacementType;
+
+#[tokio::main]
+async fn main() {
+    // there is a valid "scanning_group" in the system
+    let group_data_id = std::env::var("GROUP_DATA_ID").unwrap();
+    let body = SensitiveDataScannerRuleCreateRequest::new(
+        SensitiveDataScannerRuleCreate::new(
+            SensitiveDataScannerRuleAttributes::new()
+                .is_enabled(true)
+                .name("Example-Sensitive-Data-Scanner".to_string())
+                .pattern("pattern".to_string())
+                .priority(1)
+                .tags(vec!["sensitive_data:true".to_string()])
+                .text_replacement(
+                    SensitiveDataScannerTextReplacement::new()
+                        .replacement_string("REDACTED".to_string())
+                        .should_save_match(true)
+                        .type_(SensitiveDataScannerTextReplacementType::REPLACEMENT_STRING),
+                ),
+            SensitiveDataScannerRuleRelationships::new().group(
+                SensitiveDataScannerGroupData::new().data(
+                    SensitiveDataScannerGroup::new()
+                        .id(group_data_id.clone())
+                        .type_(SensitiveDataScannerGroupType::SENSITIVE_DATA_SCANNER_GROUP),
+                ),
+            ),
+            SensitiveDataScannerRuleType::SENSITIVE_DATA_SCANNER_RULE,
+        ),
+        SensitiveDataScannerMetaVersionOnly::new(),
+    );
+    let configuration = datadog::Configuration::new();
+    let api = SensitiveDataScannerAPI::with_config(configuration);
+    let resp = api.create_scanning_rule(body).await;
+    if let Ok(value) = resp {
+        println!("{:#?}", value);
+    } else {
+        println!("{:#?}", resp.unwrap_err());
+    }
+}

src/datadogV2/model/model_sensitive_data_scanner_text_replacement.rs

@@ -18,6 +18,9 @@ pub struct SensitiveDataScannerTextReplacement {
     /// Required if type == 'replacement_string'.
     #[serde(rename = "replacement_string")]
     pub replacement_string: Option<String>,
+    /// Only valid when type == `replacement_string`. When enabled, matches can be unmasked in logs by users with ‘Data Scanner Unmask’ permission. As a security best practice, avoid masking for highly-sensitive, long-lived data.
+    #[serde(rename = "should_save_match")]
+    pub should_save_match: Option<bool>,
     /// Type of the replacement text. None means no replacement.
     /// hash means the data will be stubbed. replacement_string means that
     /// one can chose a text to replace the data. partial_replacement_from_beginning
@@ -38,6 +41,7 @@ impl SensitiveDataScannerTextReplacement {
         SensitiveDataScannerTextReplacement {
             number_of_chars: None,
             replacement_string: None,
+            should_save_match: None,
             type_: None,
             additional_properties: std::collections::BTreeMap::new(),
             _unparsed: false,
@@ -54,6 +58,11 @@ impl SensitiveDataScannerTextReplacement {
         self
     }
 
+    pub fn should_save_match(mut self, value: bool) -> Self {
+        self.should_save_match = Some(value);
+        self
+    }
+
     pub fn type_(
         mut self,
         value: crate::datadogV2::model::SensitiveDataScannerTextReplacementType,
@@ -96,6 +105,7 @@ impl<'de> Deserialize<'de> for SensitiveDataScannerTextReplacement {
             {
                 let mut number_of_chars: Option<i64> = None;
                 let mut replacement_string: Option<String> = None;
+                let mut should_save_match: Option<bool> = None;
                 let mut type_: Option<
                     crate::datadogV2::model::SensitiveDataScannerTextReplacementType,
                 > = None;
@@ -121,6 +131,13 @@ impl<'de> Deserialize<'de> for SensitiveDataScannerTextReplacement {
                             replacement_string =
                                 Some(serde_json::from_value(v).map_err(M::Error::custom)?);
                         }
+                        "should_save_match" => {
+                            if v.is_null() {
+                                continue;
+                            }
+                            should_save_match =
+                                Some(serde_json::from_value(v).map_err(M::Error::custom)?);
+                        }
                         "type" => {
                             if v.is_null() {
                                 continue;
@@ -146,6 +163,7 @@ impl<'de> Deserialize<'de> for SensitiveDataScannerTextReplacement {
                 let content = SensitiveDataScannerTextReplacement {
                     number_of_chars,
                     replacement_string,
+                    should_save_match,
                     type_,
                     additional_properties,
                     _unparsed,

tests/scenarios/cassettes/v2/sensitive_data_scanner/Create-Scanning-Rule-with-should-save-match-returns-OK-response.frozen

@@ -0,0 +1 @@
+2025-08-26T20:31:44.042Z

tests/scenarios/cassettes/v2/sensitive_data_scanner/Create-Scanning-Rule-with-should-save-match-returns-OK-response.json

@@ -0,0 +1,169 @@
+{
+  "http_interactions": [
+    {
+      "request": {
+        "body": "",
+        "headers": {
+          "Accept": [
+            "application/json"
+          ]
+        },
+        "method": "get",
+        "uri": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config"
+      },
+      "response": {
+        "body": {
+          "string": "{\"data\":{\"id\":\"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87\",\"attributes\":{},\"type\":\"sensitive_data_scanner_configuration\",\"relationships\":{\"groups\":{\"data\":[]}}},\"meta\":{\"version\":275277,\"count_limit\":250,\"group_count_limit\":20,\"is_pci_compliant\":false,\"has_highlight_enabled\":true,\"has_multi_pass_enabled\":true,\"has_cascading_enabled\":false,\"is_configuration_superseded\":false,\"is_float_sampling_rate_enabled\":false,\"min_sampling_rate\":10.0}}\n",
+          "encoding": null
+        },
+        "headers": {
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "status": {
+          "code": 200,
+          "message": "OK"
+        }
+      },
+      "recorded_at": "Tue, 26 Aug 2025 20:31:44 GMT"
+    },
+    {
+      "request": {
+        "body": {
+          "string": "{\"data\":{\"attributes\":{\"filter\":{\"query\":\"*\"},\"is_enabled\":false,\"name\":\"my-test-group\",\"product_list\":[\"logs\"],\"samplings\":[{\"product\":\"logs\",\"rate\":100}]},\"relationships\":{\"configuration\":{\"data\":{\"id\":\"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87\",\"type\":\"sensitive_data_scanner_configuration\"}},\"rules\":{\"data\":[]}},\"type\":\"sensitive_data_scanner_group\"},\"meta\":{}}",
+          "encoding": null
+        },
+        "headers": {
+          "Accept": [
+            "application/json"
+          ],
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "method": "post",
+        "uri": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups"
+      },
+      "response": {
+        "body": {
+          "string": "{\"data\":{\"id\":\"18cc2267-f3cc-4c15-917d-d3efb15deb03\",\"attributes\":{\"name\":\"my-test-group\",\"is_enabled\":false,\"filter\":{\"query\":\"*\"},\"product_list\":[\"logs\"],\"samplings\":[{\"product\":\"logs\",\"rate\":100.0}]},\"type\":\"sensitive_data_scanner_group\",\"relationships\":{\"configuration\":{\"data\":{\"id\":\"7957915c634d4dcb581fa154157f5ad9c2947f50be632fb5599862069f4d2d87\",\"type\":\"sensitive_data_scanner_configuration\"}},\"rules\":{\"data\":[]}}},\"meta\":{\"version\":275278}}\n",
+          "encoding": null
+        },
+        "headers": {
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "status": {
+          "code": 200,
+          "message": "OK"
+        }
+      },
+      "recorded_at": "Tue, 26 Aug 2025 20:31:44 GMT"
+    },
+    {
+      "request": {
+        "body": {
+          "string": "{\"data\":{\"attributes\":{\"is_enabled\":true,\"name\":\"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304\",\"pattern\":\"pattern\",\"priority\":1,\"tags\":[\"sensitive_data:true\"],\"text_replacement\":{\"replacement_string\":\"REDACTED\",\"should_save_match\":true,\"type\":\"replacement_string\"}},\"relationships\":{\"group\":{\"data\":{\"id\":\"18cc2267-f3cc-4c15-917d-d3efb15deb03\",\"type\":\"sensitive_data_scanner_group\"}}},\"type\":\"sensitive_data_scanner_rule\"},\"meta\":{}}",
+          "encoding": null
+        },
+        "headers": {
+          "Accept": [
+            "application/json"
+          ],
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "method": "post",
+        "uri": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules"
+      },
+      "response": {
+        "body": {
+          "string": "{\"data\":{\"id\":\"0e517b8a-04c1-4ae0-b57b-22b8e081190c\",\"attributes\":{\"name\":\"Test-Create_Scanning_Rule_with_should_save_match_returns_OK_response-1756240304\",\"namespaces\":[],\"excluded_namespaces\":[],\"pattern\":\"pattern\",\"text_replacement\":{\"replacement_string\":\"REDACTED\",\"should_save_match\":true,\"type\":\"replacement_string\"},\"tags\":[\"sensitive_data:true\"],\"labels\":[],\"is_enabled\":true,\"priority\":1},\"type\":\"sensitive_data_scanner_rule\",\"relationships\":{\"group\":{\"data\":{\"id\":\"18cc2267-f3cc-4c15-917d-d3efb15deb03\",\"type\":\"sensitive_data_scanner_group\"}}}},\"meta\":{\"version\":275279}}\n",
+          "encoding": null
+        },
+        "headers": {
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "status": {
+          "code": 200,
+          "message": "OK"
+        }
+      },
+      "recorded_at": "Tue, 26 Aug 2025 20:31:44 GMT"
+    },
+    {
+      "request": {
+        "body": {
+          "string": "{\"meta\":{}}",
+          "encoding": null
+        },
+        "headers": {
+          "Accept": [
+            "application/json"
+          ],
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "method": "delete",
+        "uri": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/rules/0e517b8a-04c1-4ae0-b57b-22b8e081190c"
+      },
+      "response": {
+        "body": {
+          "string": "{\"meta\":{\"version\":275280}}\n",
+          "encoding": null
+        },
+        "headers": {
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "status": {
+          "code": 200,
+          "message": "OK"
+        }
+      },
+      "recorded_at": "Tue, 26 Aug 2025 20:31:44 GMT"
+    },
+    {
+      "request": {
+        "body": {
+          "string": "{\"meta\":{}}",
+          "encoding": null
+        },
+        "headers": {
+          "Accept": [
+            "application/json"
+          ],
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "method": "delete",
+        "uri": "https://api.datadoghq.com/api/v2/sensitive-data-scanner/config/groups/18cc2267-f3cc-4c15-917d-d3efb15deb03"
+      },
+      "response": {
+        "body": {
+          "string": "{\"meta\":{\"version\":275281}}\n",
+          "encoding": null
+        },
+        "headers": {
+          "Content-Type": [
+            "application/json"
+          ]
+        },
+        "status": {
+          "code": 200,
+          "message": "OK"
+        }
+      },
+      "recorded_at": "Tue, 26 Aug 2025 20:31:44 GMT"
+    }
+  ],
+  "recorded_with": "VCR 6.0.0"
+}

tests/scenarios/features/v2/sensitive_data_scanner.feature

@@ -50,6 +50,17 @@ Feature: Sensitive Data Scanner
     And the response "data.attributes.included_keyword_configuration.character_count" is equal to 35
     And the response "data.attributes.included_keyword_configuration.keywords[0]" is equal to "credit card"
 
+  @team:DataDog/sensitive-data-scanner
+  Scenario: Create Scanning Rule with should_save_match returns "OK" response
+    Given a valid "configuration" in the system
+    And there is a valid "scanning_group" in the system
+    And new "CreateScanningRule" request
+    And body with value {"meta":{},"data":{"type":"sensitive_data_scanner_rule","attributes":{"name":"{{ unique }}","pattern":"pattern","text_replacement":{"type":"replacement_string","replacement_string":"REDACTED","should_save_match":true},"tags":["sensitive_data:true"],"is_enabled":true,"priority":1},"relationships":{"group":{"data":{"type":"{{ group.data.type }}","id":"{{ group.data.id }}"}}}}}
+    When the request is sent
+    Then the response status is 200 OK
+    And the response "data.type" is equal to "sensitive_data_scanner_rule"
+    And the response "data.attributes.name" is equal to "{{ unique }}"
+
   @generated @skip @team:DataDog/sensitive-data-scanner
   Scenario: Delete Scanning Group returns "Bad Request" response
     Given new "DeleteScanningGroup" request