feat(secrets): bump dd-sds to b2dca51 and revert #921 stack-overflow workaround

[isabella-garza-datadog]

What problem are you trying to solve?

dd-sds commit b2dca51 contains an upstream fix for the stack overflow in Scanner::scan_with_options() that was the root cause of #incident-56036. PR #921 worked around that crash by switching to scan() + validate_matches() as a temporary measure, but this workaround regressed the is_supporting_rule HTTP match-pairing feature (cross-rule template-variable resolution only fires inside scan_with_options), and the corresponding test was marked #[ignore].

What is your solution?

• Bump dd-sds to b2dca51b27a87ecb2d847ad4167a0537afca1972, which contains the upstream fix for the recursion/stack overflow in dd-sds.
• Revert the changes from PR #921: restore scan_with_options(validate_matches=true) as the single call path in find_secrets and re-enable the previously ignored test_supporting_rule_excluded_from_output_but_used_for_match_pairing test.

Alternatives considered

Keeping the PR #921 workaround in place, but that leaves the supporting-rule match-pairing feature permanently broken for validators that rely on cross-rule template variables.

What the reviewer should know

• The cargo package was renamed from dd-sds to dd-sensitive-data-scanner, so Cargo.toml uses a package = "dd-sensitive-data-scanner" alias to keep the dd_sds:: import path unchanged.

Testing

Ran secret scanning on dd-source and web-ui, both of which previously caused stack overflows.

Results are identical before and after this PR (same files scanned, secrets found, and rules matched), confirming no regression in detection — with a small improvement in scan duration.

dd-source

Metric	v0.8.4	This PR
Files scanned	306,770	306,770
Files with secrets	176	176
Total secrets	340	340
Valid secrets	0	0
Rules evaluated	277	277
Rules with matches	25	25
Duration	47.798s	44.609s

web-ui

Metric	v0.8.4	This PR
Files scanned	206,912	206,912
Files with secrets	12	12
Total secrets	184	184
Valid secrets	0	0
Rules evaluated	277	277
Rules with matches	64	64
Duration	316.096s	295.378s

[datadog-datadog-prod-us1]

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 85.44% (+0.44%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 13f502a | Docs | Datadog PR Page | Give us feedback!}

[Copilot]

Pull request overview

This PR updates the secrets scanning integration to use the upstream-fixed dd-sds implementation again, restoring scan_with_options(validate_matches=true) behavior (including supporting-rule match-pairing) and removing the temporary workaround introduced for the stack overflow incident.

Changes:

• Bump the dd-sds git dependency to commit b2dca51… (now via package = "dd-sensitive-data-scanner" alias).
• Revert the incident-56036 workaround by switching find_secrets back to scan_with_options(...) instead of scan() + validate_matches().
• Re-enable the previously ignored supporting-rule match-pairing test.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File	Description
crates/secrets/src/scanner.rs	Restore scan_with_options call path and re-enable supporting-rule match-pairing test.
crates/secrets/Cargo.toml	Bump dd-sds dependency to upstream-fixed commit and alias renamed package.
Cargo.lock	Lockfile updates from the dd-sds dependency bump (transitive dep changes).

Comments suppressed due to low confidence (1)

crates/secrets/src/scanner.rs:16

• The doc comment above build_sds_scanner still says to use scanner.scan() to find secrets, but find_secrets now uses Scanner::scan_with_options (and this file no longer uses scan() directly). Updating the comment will prevent confusion for future readers.

use dd_sds::{RootRuleConfig, RuleConfig, ScanOptionBuilder, Scanner};
use itertools::Itertools;
use std::sync::Arc;

/// Build the SDS scanner used to scan all code using the rules fetched from

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.