From 2ef6ce40fbf2d1ea8f7c02fb8db771b4b4ed5d12 Mon Sep 17 00:00:00 2001 From: Chakib Hamie Date: Mon, 4 May 2026 17:33:42 -0400 Subject: [PATCH] Update IaC Security configuration documentation. --- config/_default/menus/main.en.yaml | 8 +- config/_default/menus/main.es.yaml | 4 +- config/_default/menus/main.fr.yaml | 4 +- config/_default/menus/main.ja.yaml | 4 +- config/_default/menus/main.ko.yaml | 4 +- .../code_security/guides/configuration.md | 44 ++- .../code_security/iac_security/_index.md | 12 +- .../iac_security/configuration/_index.md | 285 ++++++++++++++++ .../code_security/iac_security/exclusions.md | 318 ------------------ .../iac_security/iac_rules/_index.md | 4 +- .../code_security/iac_security/setup.md | 4 +- .../static_analysis/configuration/_index.md | 2 +- 12 files changed, 343 insertions(+), 350 deletions(-) create mode 100644 content/en/security/code_security/iac_security/configuration/_index.md delete mode 100644 content/en/security/code_security/iac_security/exclusions.md diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index bce66139ced..ca8d63389a9 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7548,12 +7548,12 @@ menu: identifier: code_security_iac_security_github_actions url: /security/code_security/iac_security/github_actions/ parent: code_security_iac_security - weight: 100001 - - name: Exclusions + weight: 100002 + - name: Configuration identifier: code_security_iac_security_exclusions - url: /security/code_security/iac_security/exclusions/ + url: /security/code_security/iac_security/configuration/ parent: code_security_iac_security - weight: 100002 + weight: 100001 - name: Rules identifier: code_security_iac_security_rules url: /security/code_security/iac_security/iac_rules/ diff --git a/config/_default/menus/main.es.yaml b/config/_default/menus/main.es.yaml index dd29c96b61b..28ebf319742 100644 --- a/config/_default/menus/main.es.yaml +++ b/config/_default/menus/main.es.yaml @@ -6803,9 +6803,9 @@ menu: url: /security/code_security/iac_security/setup/ parent: code_security_iac_security weight: 100000 - - name: Exclusions + - name: Configuration identifier: code_security_iac_security_exclusions - url: /security/code_security/iac_security/exclusions/ + url: /security/code_security/iac_security/configuration/ parent: code_security_iac_security weight: 100001 - name: Rules diff --git a/config/_default/menus/main.fr.yaml b/config/_default/menus/main.fr.yaml index 8f21e2c644c..f7465fee316 100644 --- a/config/_default/menus/main.fr.yaml +++ b/config/_default/menus/main.fr.yaml @@ -6808,9 +6808,9 @@ menu: url: /security/code_security/iac_security/setup/ parent: code_security_iac_security weight: 100000 - - name: Exclusions + - name: Configuration identifier: code_security_iac_security_exclusions - url: /security/code_security/iac_security/exclusions/ + url: /security/code_security/iac_security/configuration/ parent: code_security_iac_security weight: 100001 - name: Rules diff --git a/config/_default/menus/main.ja.yaml b/config/_default/menus/main.ja.yaml index 7471b5eea88..7033e599374 100644 --- a/config/_default/menus/main.ja.yaml +++ b/config/_default/menus/main.ja.yaml @@ -6808,9 +6808,9 @@ menu: url: /security/code_security/iac_security/setup/ parent: code_security_iac_security weight: 100000 - - name: Exclusions + - name: Configuration identifier: code_security_iac_security_exclusions - url: /security/code_security/iac_security/exclusions/ + url: /security/code_security/iac_security/configuration/ parent: code_security_iac_security weight: 100001 - name: Rules diff --git a/config/_default/menus/main.ko.yaml b/config/_default/menus/main.ko.yaml index 58525652d67..669d72f7554 100644 --- a/config/_default/menus/main.ko.yaml +++ b/config/_default/menus/main.ko.yaml @@ -6808,9 +6808,9 @@ menu: url: /security/code_security/iac_security/setup/ parent: code_security_iac_security weight: 100000 - - name: Exclusions + - name: Configuration identifier: code_security_iac_security_exclusions - url: /security/code_security/iac_security/exclusions/ + url: /security/code_security/iac_security/configuration/ parent: code_security_iac_security weight: 100001 - name: Rules diff --git a/content/en/security/code_security/guides/configuration.md b/content/en/security/code_security/guides/configuration.md index 0c229479cca..22b3d1250f9 100644 --- a/content/en/security/code_security/guides/configuration.md +++ b/content/en/security/code_security/guides/configuration.md @@ -9,23 +9,28 @@ further_reading: - link: /security/code_security/software_composition_analysis/configuration/ tag: Documentation text: Software Composition Analysis (SCA) Configuration +- link: /security/code_security/iac_security/configuration/ + tag: Documentation + text: Infrastructure as Code (IaC) Security Configuration --- Datadog Code Security can be configured in Datadog, in a file at the root of your repository, or in both locations. ## Configuration schema -The configuration file must begin with `schema-version: v1.0` or `schema-version: v1.1`, followed by top-level keys for each product you want to configure. Use `v1.1` to enable SCA support. +The configuration file must begin with `schema-version: v1.0`, `schema-version: v1.1`, or `schema-version: v1.2`, followed by top-level keys for each product you want to configure. Use `v1.1` to enable SCA support and `v1.2` to enable IaC Security support. ```yaml -schema-version: v1.1 +schema-version: v1.2 sast: # Static Code Analysis (SAST) configuration sca: # Software Composition Analysis (SCA) configuration +iac: + # Infrastructure as Code (IaC) Security configuration ``` -Both the `sast` and `sca` sections are optional. Any configuration location, including the org level, repository level, or repository file, can include one or both sections. For the full schema for each section, see [Static Code Analysis (SAST) Configuration][1] and [Software Composition Analysis (SCA) Configuration][2]. +The `sast`, `sca`, and `iac` sections are optional. Any configuration location, including the org level, repository level, or repository file, can include one or more sections. For the full schema for each section, see [Static Code Analysis (SAST) Configuration][1], [Software Composition Analysis (SCA) Configuration][2], and [Infrastructure as Code (IaC) Security Configuration][3]. ## Where to define configurations @@ -65,18 +70,18 @@ For each field in a configuration, merge behavior depends on the field type: | Field type | Merge behavior | Example fields | |---|---|---| -| Lists | Concatenated, with duplicates removed | `use-rulesets`, `ignore-rulesets`, `ignore-paths`, `only-paths` | +| Lists | Concatenated, with duplicates removed | `use-rulesets`, `ignore-rulesets`, `ignore-rules`, `ignore-paths`, `only-paths` | | Scalar values (strings, numbers, booleans) | The value from the highest-precedence configuration is used | `use-default-rulesets`, `use-gitignore`, `max-file-size-kb`, `category` | | Maps | Recursively merged | `ruleset-configs`, `rule-configs`, `arguments` | -For the full list of fields, see [Static Code Analysis (SAST) Configuration][1] and [Software Composition Analysis (SCA) Configuration][2]. +For the full list of fields, see [Static Code Analysis (SAST) Configuration][1], [Software Composition Analysis (SCA) Configuration][2], and [Infrastructure as Code (IaC) Security Configuration][3]. The following example shows how configurations are merged: #### Org-level ```yaml -schema-version: v1.1 +schema-version: v1.2 sast: use-default-rulesets: false use-rulesets: @@ -92,12 +97,18 @@ sast: sca: ignore-paths: - "vendor/" +iac: + ignore-rules: + - A + global-config: + ignore-paths: + - "examples/" ``` #### Repo-level ```yaml -schema-version: v1.1 +schema-version: v1.2 sast: use-rulesets: - B @@ -115,12 +126,18 @@ sast: sca: ignore-paths: - "third_party/" +iac: + ignore-rules: + - B + global-config: + ignore-paths: + - "generated/" ``` #### Merged result ```yaml -schema-version: v1.1 +schema-version: v1.2 sast: use-default-rulesets: false use-rulesets: @@ -143,11 +160,19 @@ sca: ignore-paths: - "vendor/" - "third_party/" +iac: + ignore-rules: + - A + - B + global-config: + ignore-paths: + - "examples/" + - "generated/" ``` The example demonstrates each merge rule from the table above: -- **Lists concatenate**: `use-rulesets` merges to `[A, B]`; the SCA `ignore-paths` merges to `["vendor/", "third_party/"]`. +- **Lists concatenate**: `use-rulesets` merges to `[A, B]`; the SCA `ignore-paths` merges to `["vendor/", "third_party/"]`; the IaC `ignore-rules` merges to `[A, B]`. - **Scalars use the highest-precedence value**: `maxCount: 22` (repo-level) overrides `maxCount: 10` (org-level). - **Maps merge recursively**: The `foo` rule config keeps `ignore-paths` from the org level while applying `maxCount: 22` from the repo level. New entries like `bar` are added from the repo level. @@ -157,3 +182,4 @@ The example demonstrates each merge rule from the table above: [1]: /security/code_security/static_analysis/configuration/ [2]: /security/code_security/software_composition_analysis/configuration/ +[3]: /security/code_security/iac_security/configuration/ diff --git a/content/en/security/code_security/iac_security/_index.md b/content/en/security/code_security/iac_security/_index.md index 56906b45675..1107a5e4d65 100644 --- a/content/en/security/code_security/iac_security/_index.md +++ b/content/en/security/code_security/iac_security/_index.md @@ -9,9 +9,9 @@ further_reading: - link: "/security/code_security/iac_security/setup" tag: "Documentation" text: "Set up IaC Security" - - link: "/security/code_security/iac_security/exclusions" + - link: "/security/code_security/iac_security/configuration" tag: "Documentation" - text: "Configure IaC Security Exclusions" + text: "Configure IaC Security" - link: "/security/code_security/iac_security/iac_rules/" tag: "Documentation" text: "IaC Security Rules" @@ -76,12 +76,12 @@ To restore a muted finding, click **Unmute** in the details panel. You can also You can configure exclusions to prevent certain findings from appearing in scan results. Exclusions can be based on rule ID, file path, resource type, severity, or tag. -Exclusions are managed through a configuration file or inline comments in your IaC code. For supported formats and usage examples, see [Configure IaC Security Exclusions][7]. +Exclusions are managed through a configuration file or inline comments in your IaC code. For supported formats and usage examples, see [Configure IaC Security][7]. ## Next steps 1. [Set up IaC Security][1] in your environment. -2. Configure [scanning exclusions][2] to reduce false positives or ignore expected results. +2. Configure [IaC Security][2] to reduce false positives or ignore expected results. 3. Review and triage findings on the [Code Security Vulnerabilities][3] page. ## Further reading @@ -89,12 +89,12 @@ Exclusions are managed through a configuration file or inline comments in your I {{< partial name="whats-next/whats-next.html" >}} [1]: /security/code_security/iac_security/setup -[2]: /security/code_security/iac_security/exclusions +[2]: /security/code_security/iac_security/configuration [3]: https://app.datadoghq.com/security/code-security/iac [4]: /security/ticketing_integrations#bidirectional-ticket-syncing-with-jira [5]: /security/code_security/dev_tool_int/github_pull_requests/ [6]: https://app.datadoghq.com/ci/code-analysis? -[7]: /security/code_security/iac_security/exclusions/?tab=yaml +[7]: /security/code_security/iac_security/configuration/ [8]: /security/automation_pipelines/mute [9]: https://app.datadoghq.com/integrations/github/ [10]: /security/automation_pipelines/ diff --git a/content/en/security/code_security/iac_security/configuration/_index.md b/content/en/security/code_security/iac_security/configuration/_index.md new file mode 100644 index 00000000000..d4b9fcadada --- /dev/null +++ b/content/en/security/code_security/iac_security/configuration/_index.md @@ -0,0 +1,285 @@ +--- +title: Infrastructure as Code (IaC) Security Configuration +aliases: + - /security/cloud_security_management/setup/iac_scanning/iac_scanning_exclusions/ + - /security/code_security/iac_security/exclusions/ +further_reading: + - link: "https://www.datadoghq.com/blog/datadog-iac-security/" + tag: "Blog" + text: "Prevent cloud misconfigurations from reaching production with Datadog IaC Security" + - link: "/security/code_security/iac_security" + tag: "Documentation" + text: "IaC Security" + - link: "/security/code_security/iac_security/setup" + tag: "Documentation" + text: "Set up IaC Security for Code Security" + - link: "/security/code_security/iac_security/iac_rules/" + tag: "Documentation" + text: "IaC Security Rules" +--- + +Infrastructure as Code (IaC) Security detects IaC misconfigurations. By default, IaC Security scans repositories with [all supported rules][3]. You can customize which rules run and on which paths, as well as their severities and categories. Configure these settings under the `iac` key in the Code Security configuration, either in Datadog or in a `code-security.datadog.yaml` file. + +For information on configuration locations, precedence, and merging, see [Code Security Configuration Reference][1]. + +## Configuration methods + +You can configure IaC Security using: + +- A configuration file to define included or ignored rule IDs, severity levels, file paths, and categories. +- Inline comments to ignore specific findings within IaC files. + +## Configuration format + +The following configuration format applies to all configuration locations: org-level, repository-level, and repository-level (file). + +The configuration file must begin with `schema-version: v1.2`, followed by an `iac` key containing the analysis configuration. The full structure is as follows: + +```yaml +schema-version: v1.2 +iac: + # Do not run these rules. + ignore-rules: + - A + - B + # Run only these rules. If this field is set, all other rules are ignored. + use-rules: + - A + global-config: + # Only analyze the following paths/files. + only-paths: + - "path/example" + - "**/*.file" + # Do not analyze the following paths/files. + ignore-paths: + - "path/example/directory" + - "**/config.file" + # Do not report findings with these severities. + ignore-severities: + - low + - info + # Report only findings with these severities. + only-severities: + - high + - critical + # Do not report findings in these categories. + ignore-categories: + - "Best Practices" + # Report only findings in these categories. + only-categories: + - "Encryption" +``` + +The `iac` key supports the following fields: + +| **Property** | **Type** | **Description** | +| --- | --- | --- | +| `ignore-rules` | Array | A list of rule IDs to ignore. | +| `use-rules` | Array | A list of rule IDs to run. If this field is set, rules not listed are ignored. | +| `global-config` | Object | Global settings for the repository. | + +## Rule configuration + +To modify which rules run: + +- **Run only specific rules**: List them under `use-rules` +- **Disable specific rules**: List them under `ignore-rules` + +```yaml +schema-version: v1.2 +iac: + ignore-rules: + - A + - B +``` + +```yaml +schema-version: v1.2 +iac: + use-rules: + - A +``` + +Replace placeholders such as `A` and `B` with Code Security rule IDs. Legacy rule IDs are also supported for backward compatibility. + +## Global configuration + +The `global-config` object controls repository-wide settings: + +| **Property** | **Type** | **Description** | +| --- | --- | --- | +| `only-paths` | Array | File paths or glob patterns. Only matching files are analyzed. | +| `ignore-paths` | Array | File paths or glob patterns to exclude. Matching files are not analyzed. | +| `only-severities` | Array | Severity levels to report. Findings with other severities are ignored. | +| `ignore-severities` | Array | Severity levels to ignore. | +| `only-categories` | Array | Categories to report. Findings in other categories are ignored. | +| `ignore-categories` | Array | Categories to ignore. | + +### Severities + +Use `ignore-severities` to ignore findings based on severity level. Use `only-severities` to report only specific severity levels. + +**Possible values:** + +- `critical` +- `high` +- `medium` +- `low` +- `info` + +```yaml +schema-version: v1.2 +iac: + global-config: + ignore-severities: + - info + - low +``` + +### Paths + +Use `ignore-paths` to exclude specific files or directories from scanning. Use `only-paths` to scan only specific files or directories. These options support glob patterns. + +```yaml +schema-version: v1.2 +iac: + global-config: + ignore-paths: + - "path/example/directory" + - "**/config.file" +``` + +### Categories + +Use `ignore-categories` to ignore findings in specific categories. Use `only-categories` to report only specific categories. + +**Possible values:** + +- `Access Control` +- `Availability` +- `Backup` +- `Best Practices` +- `Build Process` +- `Encryption` +- `Insecure Configurations` +- `Insecure Defaults` +- `Networking and Firewall` +- `Observability` +- `Resource Management` +- `Secret Management` +- `Supply-Chain` +- `Structure and Semantics` +- `Bill Of Materials` + +```yaml +schema-version: v1.2 +iac: + global-config: + ignore-categories: + - "Access Control" + - "Best Practices" +``` + +## Legacy configuration + +IaC Security previously used a different configuration file (`dd-iac-scan.config`) and schema. This schema is deprecated and does not receive new updates, but it is [documented][2] in the `datadog-iac-scanner` repository. + +A `code-security.datadog.yaml` file with an `iac` section takes precedence over `dd-iac-scan.config` if both are present. + +## Configure exclusions with an inline comment + +To control which parts of a file are scanned, add a comment that contains `dd-iac-scan`, followed by a command and any required values. Prefix `dd-iac-scan` with the comment syntax for the file format. Inline exclusions apply only within the file where they are used. + +### Supported commands + +| **Comment** | **Description** | +|----------------------------------|---------------------------------| +| `dd-iac-scan ignore` | Ignores the entire file. | +| `dd-iac-scan disable=` | Ignores specific rules. | +| `dd-iac-scan enable=` | Includes only specific rules. | +| `dd-iac-scan ignore-line` | Ignores a single line. | +| `dd-iac-scan ignore-block` | Ignores an entire block. | + +#### dd-iac-scan ignore + +Excludes the entire file from scanning. This comment must be placed at the beginning of the file to take effect. + +``` +# dd-iac-scan ignore + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-test-bucket" + ... +} +... +``` + +#### dd-iac-scan disable=rule_id + +Excludes scan results for the specified rules in this file. This comment must be placed at the beginning of the file to take effect. + +``` +# dd-iac-scan disable=A,B + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-test-bucket" + ... +} +... +``` + +Findings from the specified rules are ignored for this file. Legacy rule IDs are also supported for backward compatibility. + +#### dd-iac-scan enable=rule_id + +Limits scan results in this file to only the specified rules. This comment must be placed at the beginning of the file to take effect. + +``` +# dd-iac-scan enable=A + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-test-bucket" + ... +} +... +``` + +Only findings from the specified rules are included in scan results for this file. Legacy rule IDs are also supported for backward compatibility. + +#### dd-iac-scan ignore-line + +Prevents scan results from flagging the line immediately after this comment. This comment can be placed anywhere in the file. + +``` +1: resource "google_storage_bucket" "example" { +2: # dd-iac-scan ignore-line +3: name = "image-store.com" +4: location = "EU" +5: force_destroy = true +6: } +``` + +In the previous example, findings for line 3 are ignored. + +#### dd-iac-scan ignore-block + +Prevents scan results from flagging an entire resource block and all its key-value pairs. This comment can be placed anywhere in the file. + +``` +1: # dd-iac-scan ignore-block +2: resource "google_storage_bucket" "example" { +3: name = "image-store.com" +4: location = "EU" +5: force_destroy = true +6: } +``` + +Findings related to the entire block (lines 2-6 in this example) are ignored. + +## Further reading + +{{< partial name="whats-next/whats-next.html" >}} + +[1]: /security/code_security/guides/configuration/ +[2]: https://github.com/DataDog/datadog-iac-scanner/blob/main/doc/legacy_config.md +[3]: /security/code_security/iac_security/iac_rules/ diff --git a/content/en/security/code_security/iac_security/exclusions.md b/content/en/security/code_security/iac_security/exclusions.md deleted file mode 100644 index c277d46fe43..00000000000 --- a/content/en/security/code_security/iac_security/exclusions.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -title: Configure IaC Security Exclusions -aliases: - - /security/cloud_security_management/setup/iac_scanning/iac_scanning_exclusions/ -further_reading: - - link: "https://www.datadoghq.com/blog/datadog-iac-security/" - tag: "Blog" - text: "Prevent cloud misconfigurations from reaching production with Datadog IaC Security" - - link: "/security/code_security/iac_security" - tag: "Documentation" - text: "IaC Security" - - link: "/security/code_security/iac_security/setup" - tag: "Documentation" - text: "Set up IaC Security for Code Security" - - link: "/security/code_security/iac_security/iac_rules/" - tag: "Documentation" - text: "IaC Security Rules" ---- - -Infrastructure as Code (IaC) Security detects security misconfigurations in Terraform files. Exclusions allow you to control which findings appear in scan results by ignoring specific rules, files, or issue categories. - -## Exclusion methods - -You can configure exclusions using: - -- A configuration file to define exclusions for severity levels, file paths, query IDs, and categories. -- Inline comments to ignore specific findings within Terraform files. - -
If an exclusion is defined in both the configuration file and an inline comment, the configuration file takes priority.
- -## Configure exclusions with a configuration file - -1. Create a file named `dd-iac-scan.config` in the root directory of your project repository. -1. Add the necessary exclusions in YAML, JSON, TOML, or HCL format. -1. Commit the `dd-iac-scan.config` file to your repository. - -### Supported exclusions - -#### Exclude severities - -Use `exclude-severities` to exclude findings based on severity level. To supply multiple values to this option, you can set the option multiple times or pass in a list. - -**Possible values:** -- `critical` -- `high` -- `medium` -- `low` -- `info` - -{{< tabs >}} -{{% tab "YAML" %}} - -```yaml -exclude-severities: - - "info" - - "low" -``` - -{{% /tab %}} -{{% tab "JSON" %}} - -```json -"exclude-severities": [ - "info", - "low" -] -``` - -{{% /tab %}} -{{% tab "TOML" %}} - -``` -exclude-severities = [ "info", "low" ] -``` - -{{% /tab %}} -{{% tab "HCL" %}} - -``` -"exclude-severities" = ["info", "low"] -``` - -{{% /tab %}} -{{< /tabs >}} - -#### Exclude paths - -Use `exclude-paths` to exclude specific files or directories from scanning. This option supports glob patterns. To supply multiple values to this option, you can set the option multiple times or pass in a list. - -{{< tabs >}} -{{% tab "YAML" %}} - -```yaml -exclude-paths: - - "./shouldNotScan/*" - - "dir/somefile.txt" -``` - -{{% /tab %}} -{{% tab "JSON" %}} - -```json -"exclude-paths": [ - "./shouldNotScan/*", - "dir/somefile.txt" -] -``` - -{{% /tab %}} -{{% tab "TOML" %}} - -``` -exclude-paths = [ "./shouldNotScan/*", "dir/somefile.txt" ] -``` - -{{% /tab %}} -{{% tab "HCL" %}} - -``` -"exclude-paths" = ["./shouldNotScan/*", "dir/somefile.txt"] -``` - -{{% /tab %}} -{{< /tabs >}} - -#### Exclude queries - -Use `exclude-queries` to exclude specific queries by their query ID. To supply multiple values to this option, you can set the option multiple times or pass in a list. - -{{< tabs >}} -{{% tab "YAML" %}} - -```yaml -exclude-queries: - - "e69890e6-fce5-461d-98ad-cb98318dfc96" - - "4728cd65-a20c-49da-8b31-9c08b423e4db" -``` - -{{% /tab %}} -{{% tab "JSON" %}} - -```json -"exclude-queries": [ - "e69890e6-fce5-461d-98ad-cb98318dfc96", - "4728cd65-a20c-49da-8b31-9c08b423e4db" -] -``` - -{{% /tab %}} -{{% tab "TOML" %}} - -``` -exclude-queries = [ "e69890e6-fce5-461d-98ad-cb98318dfc96", "4728cd65-a20c-49da-8b31-9c08b423e4db" ] -``` - -{{% /tab %}} -{{% tab "HCL" %}} - -``` -"exclude-queries" = ["e69890e6-fce5-461d-98ad-cb98318dfc96", "4728cd65-a20c-49da-8b31-9c08b423e4db"] -``` - -{{% /tab %}} -{{< /tabs >}} - -#### Exclude categories - -Use `exclude-categories` to exclude specific categories. This option can be used multiple times or as a string representation of a list. - -**Possible values**: -- `Access Control` -- `Availability` -- `Backup` -- `Best Practices` -- `Build Process` -- `Encryption` -- `Insecure Configurations` -- `Insecure Defaults` -- `Networking and Firewall` -- `Observability` -- `Resource Management` -- `Secret Management` -- `Supply-Chain` -- `Structure and Semantics` -- `Bill Of Materials` - -{{< tabs >}} -{{% tab "YAML" %}} - -```yaml -exclude-categories: - - "Access Control" - - "Best Practices" -``` - -{{% /tab %}} -{{% tab "JSON" %}} - -```json -"exclude-categories": [ - "Access Control", - "Best Practices" -] -``` - -{{% /tab %}} -{{% tab "TOML" %}} - -``` -exclude-categories = [ "Access Control", "Best Practices" ] -``` - -{{% /tab %}} -{{% tab "HCL" %}} - -``` -"exclude-categories" = ["Access Control", "Best Practices"] -``` - -{{% /tab %}} -{{< /tabs >}} - -## Configure exclusions with an inline comment - -To control which parts of a file are scanned, add a comment that starts with `# dd-iac-scan`, followed by a command and any required values. Inline exclusions apply only within the file where they are used. - -
If an exclusion is defined in both the configuration file and an inline comment, the configuration file takes priority.
- -### Supported commands - -| **Comment** | **Description** | -|----------------------------------|---------------------------------| -| `dd-iac-scan ignore` | Ignores the entire file. | -| `dd-iac-scan disable=` | Ignores specific queries. | -| `dd-iac-scan enable=` | Includes only specific queries. | -| `dd-iac-scan ignore-line` | Ignores a single line. | -| `dd-iac-scan ignore-block` | Ignores an entire block. | - -#### dd-iac-scan ignore - -Excludes the entire file from scanning. This comment must be placed at the beginning of the file to take effect. - -``` -# dd-iac-scan ignore - -resource "aws_s3_bucket" "example" { - bucket = "my-tf-test-bucket" - ... -} -... -``` - -#### dd-iac-scan disable=query_id - -Excludes scan results for the specified queries in this file. This comment must be placed at the beginning of the file to take effect. - -``` -# dd-iac-scan disable=e592a0c5-5bdb-414c-9066-5dba7cdea370,e69890e6-fce5-461d-98ad-cb98318dfc96 - -resource "aws_s3_bucket" "example" { - bucket = "my-tf-test-bucket" - ... -} -... -``` - -Findings from the specified queries are ignored for this file. - -#### dd-iac-scan enable=query_id - -Limits scan results in this file to only the specified queries. This comment must be placed at the beginning of the file to take effect. - - -``` -# dd-iac-scan enable=e592a0c5-5bdb-414c-9066-5dba7cdea370 - -resource "aws_s3_bucket" "example" { - bucket = "my-tf-test-bucket" - ... -} -... -``` - -Only findings from the specified queries are included in scan results for this file. - -#### dd-iac-scan ignore-line - -Prevents scan results from flagging the line immediately after this comment. This comment can be placed anywhere in the file. - -``` -1: resource "google_storage_bucket" "example" { -2: # dd-iac-scan ignore-line -3: name = "image-store.com" -4: location = "EU" -5: force_destroy = true -6: } -``` - -Findings for line 3 are ignored. - -#### dd-iac-scan ignore-block - -Prevents scan results from flagging an entire resource block and all its key-value pairs. This comment can be placed anywhere in the file. - -``` -1: # dd-iac-scan ignore-block -2: resource "google_storage_bucket" "example" { -3: name = "image-store.com" -4: location = "EU" -5: force_destroy = true -6: } -``` - -Findings related to the entire block (lines 2-6 in this example) are ignored. - -## Further reading - -{{< partial name="whats-next/whats-next.html" >}} \ No newline at end of file diff --git a/content/en/security/code_security/iac_security/iac_rules/_index.md b/content/en/security/code_security/iac_security/iac_rules/_index.md index d4c5ebb30a7..45ccc4d595b 100644 --- a/content/en/security/code_security/iac_security/iac_rules/_index.md +++ b/content/en/security/code_security/iac_security/iac_rules/_index.md @@ -5,9 +5,9 @@ further_reading: - link: "/security/code_security/iac_security/setup" tag: "Documentation" text: "Set up IaC Security" - - link: "/security/code_security/iac_security/exclusions" + - link: "/security/code_security/iac_security/configuration" tag: "Documentation" - text: "Configure IaC Security Exclusions" + text: "Configure IaC Security" --- {{% site-region region="gov,gov2" %}} diff --git a/content/en/security/code_security/iac_security/setup.md b/content/en/security/code_security/iac_security/setup.md index 99890548c1d..a6db756c8bd 100644 --- a/content/en/security/code_security/iac_security/setup.md +++ b/content/en/security/code_security/iac_security/setup.md @@ -9,9 +9,9 @@ further_reading: - link: "/security/code_security/iac_security" tag: "Documentation" text: "IaC Security" - - link: "/security/code_security/iac_security/exclusions" + - link: "/security/code_security/iac_security/configuration" tag: "Documentation" - text: "Configure IaC Security Exclusions" + text: "Configure IaC Security" - link: "/security/code_security/iac_security/iac_rules/" tag: "Documentation" text: "IaC Security Rules" diff --git a/content/en/security/code_security/static_analysis/configuration/_index.md b/content/en/security/code_security/static_analysis/configuration/_index.md index 81e5de9f72a..dfac8747391 100644 --- a/content/en/security/code_security/static_analysis/configuration/_index.md +++ b/content/en/security/code_security/static_analysis/configuration/_index.md @@ -21,7 +21,7 @@ For the full list of default rulesets, see [Static Code Analysis (SAST) Rules][6 The following configuration format applies to all configuration locations: org-level, repository-level, and repository-level (file). -The configuration file must begin with `schema-version: v1.0` or `schema-version: v1.1`, followed by a `sast` key containing the analysis configuration. The full structure is as follows: +The configuration file must begin with `schema-version: v1.0`, `schema-version: v1.1`, or `schema-version: v1.2`, followed by a `sast` key containing the analysis configuration. The full structure is as follows: ```yaml schema-version: v1.0