DataDog · whitemerch · May 4, 2026 · drichards-87 · May 8, 2026 · chatgpt-codex-connector
@@ -7548,12 +7548,12 @@ menu:
       identifier: code_security_iac_security_github_actions
       url: /security/code_security/iac_security/github_actions/
       parent: code_security_iac_security
-      weight: 100001
-    - name: Exclusions
+      weight: 100002
+    - name: Configuration
       identifier: code_security_iac_security_exclusions
-      url: /security/code_security/iac_security/exclusions/
+      url: /security/code_security/iac_security/configuration/
       parent: code_security_iac_security
-      weight: 100002
+      weight: 100001
     - name: Rules
       identifier: code_security_iac_security_rules
       url: /security/code_security/iac_security/iac_rules/

@@ -6803,9 +6803,9 @@ menu:
       url: /security/code_security/iac_security/setup/
       parent: code_security_iac_security
       weight: 100000
-    - name: Exclusions
+    - name: Configuration
       identifier: code_security_iac_security_exclusions
-      url: /security/code_security/iac_security/exclusions/
+      url: /security/code_security/iac_security/configuration/
       parent: code_security_iac_security
       weight: 100001
     - name: Rules

@@ -6808,9 +6808,9 @@ menu:
       url: /security/code_security/iac_security/setup/
       parent: code_security_iac_security
       weight: 100000
-    - name: Exclusions
+    - name: Configuration
       identifier: code_security_iac_security_exclusions
-      url: /security/code_security/iac_security/exclusions/
+      url: /security/code_security/iac_security/configuration/
       parent: code_security_iac_security
       weight: 100001
     - name: Rules

@@ -6808,9 +6808,9 @@ menu:
       url: /security/code_security/iac_security/setup/
       parent: code_security_iac_security
       weight: 100000
-    - name: Exclusions
+    - name: Configuration
       identifier: code_security_iac_security_exclusions
-      url: /security/code_security/iac_security/exclusions/
+      url: /security/code_security/iac_security/configuration/
       parent: code_security_iac_security
       weight: 100001
     - name: Rules

@@ -6808,9 +6808,9 @@ menu:
       url: /security/code_security/iac_security/setup/
       parent: code_security_iac_security
       weight: 100000
-    - name: Exclusions
+    - name: Configuration
       identifier: code_security_iac_security_exclusions
-      url: /security/code_security/iac_security/exclusions/
+      url: /security/code_security/iac_security/configuration/
       parent: code_security_iac_security
       weight: 100001
     - name: Rules

@@ -9,23 +9,28 @@ further_reading:
 - link: /security/code_security/software_composition_analysis/configuration/
   tag: Documentation
   text: Software Composition Analysis (SCA) Configuration
+- link: /security/code_security/iac_security/configuration/
+  tag: Documentation
+  text: Infrastructure as Code (IaC) Security Configuration
 ---
 
 Datadog Code Security can be configured in Datadog, in a file at the root of your repository, or in both locations.
 
 ## Configuration schema
 
-The configuration file must begin with `schema-version: v1.0` or `schema-version: v1.1`, followed by top-level keys for each product you want to configure. Use `v1.1` to enable SCA support.
+The configuration file must begin with `schema-version: v1.0`, `schema-version: v1.1`, or `schema-version: v1.2`, followed by top-level keys for each product you want to configure. Use `v1.1` to enable SCA support and `v1.2` to enable IaC Security support.
-The configuration file must begin with `schema-version: v1.0`, `schema-version: v1.1`, or `schema-version: v1.2`, followed by top-level keys for each product you want to configure. Use `v1.1` to enable SCA support and `v1.2` to enable IaC Security support.
+The configuration file must begin with a `schema-version` key, followed by top-level keys for each product you want to configure. Use the schema version that matches the products you want to configure:
+
+| Schema version | Supported products      |
+|----------------|-------------------------|
+| v1.0           | SAST                    |
+| v1.1           | SAST, SCA               |
+| v1.2           | SAST, SCA, IaC Security |
+
+The following example shows the top-level structure:
-The configuration file must begin with `schema-version: v1.0`, `schema-version: v1.1`, or `schema-version: v1.2`, followed by top-level keys for each product you want to configure. Use `v1.1` to enable SCA support and `v1.2` to enable IaC Security support.
+The configuration file must begin with a `schema-version` key, followed by top-level keys for each product you want to configure. Use the schema version that matches the products you want to configure:
+
+| Schema version | Supported products      |
+|----------------|-------------------------|
+| v1.0           | SAST                    |
+| v1.1           | SAST, SCA               |
+| v1.2           | SAST, SCA, IaC Security |
+
+The following example shows the top-level structure:
 
 ```yaml
-schema-version: v1.1
+schema-version: v1.2
 sast:
   # Static Code Analysis (SAST) configuration
 sca:
   # Software Composition Analysis (SCA) configuration
+iac:
+  # Infrastructure as Code (IaC) Security configuration
 ```
 
-Both the `sast` and `sca` sections are optional. Any configuration location, including the org level, repository level, or repository file, can include one or both sections. For the full schema for each section, see [Static Code Analysis (SAST) Configuration][1] and [Software Composition Analysis (SCA) Configuration][2].
+The `sast`, `sca`, and `iac` sections are optional. Any configuration location, including the org level, repository level, or repository file, can include one or more sections. For the full schema for each section, see [Static Code Analysis (SAST) Configuration][1], [Software Composition Analysis (SCA) Configuration][2], and [Infrastructure as Code (IaC) Security Configuration][3].
 
 ## Where to define configurations
 
@@ -65,18 +70,18 @@ For each field in a configuration, merge behavior depends on the field type:
 
 | Field type | Merge behavior | Example fields |
 |---|---|---|
-| Lists | Concatenated, with duplicates removed | `use-rulesets`, `ignore-rulesets`, `ignore-paths`, `only-paths` |
+| Lists | Concatenated, with duplicates removed | `use-rulesets`, `ignore-rulesets`, `ignore-rules`, `ignore-paths`, `only-paths` |
 | Scalar values (strings, numbers, booleans) | The value from the highest-precedence configuration is used | `use-default-rulesets`, `use-gitignore`, `max-file-size-kb`, `category` |
 | Maps | Recursively merged | `ruleset-configs`, `rule-configs`, `arguments` |
 
-For the full list of fields, see [Static Code Analysis (SAST) Configuration][1] and [Software Composition Analysis (SCA) Configuration][2].
+For the full list of fields, see [Static Code Analysis (SAST) Configuration][1], [Software Composition Analysis (SCA) Configuration][2], and [Infrastructure as Code (IaC) Security Configuration][3].
 
 The following example shows how configurations are merged:
 
 #### Org-level
 
 ```yaml
-schema-version: v1.1
+schema-version: v1.2
 sast:
   use-default-rulesets: false
   use-rulesets:
@@ -92,12 +97,18 @@ sast:
 sca:
   ignore-paths:
     - "vendor/"
+iac:
+  ignore-rules:
+    - A
+  global-config:
+    ignore-paths:
+      - "examples/"
 ```
 
 #### Repo-level
 
 ```yaml
-schema-version: v1.1
+schema-version: v1.2
 sast:
   use-rulesets:
     - B
@@ -115,12 +126,18 @@ sast:
 sca:
   ignore-paths:
     - "third_party/"
+iac:
+  ignore-rules:
+    - B
+  global-config:
+    ignore-paths:
+      - "generated/"
 ```
 
 #### Merged result
 
 ```yaml
-schema-version: v1.1
+schema-version: v1.2
 sast:
   use-default-rulesets: false
   use-rulesets:
@@ -143,11 +160,19 @@ sca:
   ignore-paths:
     - "vendor/"
     - "third_party/"
+iac:
+  ignore-rules:
+    - A
+    - B
+  global-config:
+    ignore-paths:
+      - "examples/"
+      - "generated/"
 ```
 
 The example demonstrates each merge rule from the table above:
 
-- **Lists concatenate**: `use-rulesets` merges to `[A, B]`; the SCA `ignore-paths` merges to `["vendor/", "third_party/"]`.
+- **Lists concatenate**: `use-rulesets` merges to `[A, B]`; the SCA `ignore-paths` merges to `["vendor/", "third_party/"]`; the IaC `ignore-rules` merges to `[A, B]`.
 - **Scalars use the highest-precedence value**: `maxCount: 22` (repo-level) overrides `maxCount: 10` (org-level).
 - **Maps merge recursively**: The `foo` rule config keeps `ignore-paths` from the org level while applying `maxCount: 22` from the repo level. New entries like `bar` are added from the repo level.
 
@@ -157,3 +182,4 @@ The example demonstrates each merge rule from the table above:
 
 [1]: /security/code_security/static_analysis/configuration/
 [2]: /security/code_security/software_composition_analysis/configuration/
+[3]: /security/code_security/iac_security/configuration/
@@ -9,9 +9,9 @@ further_reading:
   - link: "/security/code_security/iac_security/setup"
     tag: "Documentation"
     text: "Set up IaC Security"
-  - link: "/security/code_security/iac_security/exclusions"
+  - link: "/security/code_security/iac_security/configuration"
     tag: "Documentation"
-    text: "Configure IaC Security Exclusions"
+    text: "Configure IaC Security"
   - link: "/security/code_security/iac_security/iac_rules/"
     tag: "Documentation"
     text: "IaC Security Rules"
@@ -76,25 +76,25 @@ To restore a muted finding, click **Unmute** in the details panel. You can also
 
 You can configure exclusions to prevent certain findings from appearing in scan results. Exclusions can be based on rule ID, file path, resource type, severity, or tag.
 
-Exclusions are managed through a configuration file or inline comments in your IaC code. For supported formats and usage examples, see [Configure IaC Security Exclusions][7].
+Exclusions are managed through a configuration file or inline comments in your IaC code. For supported formats and usage examples, see [Configure IaC Security][7].
 
 ## Next steps
 
 1. [Set up IaC Security][1] in your environment.
-2. Configure [scanning exclusions][2] to reduce false positives or ignore expected results.
+2. Configure [IaC Security][2] to reduce false positives or ignore expected results.
 3. Review and triage findings on the [Code Security Vulnerabilities][3] page.
 
 ## Further reading
 
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: /security/code_security/iac_security/setup
-[2]: /security/code_security/iac_security/exclusions
+[2]: /security/code_security/iac_security/configuration
 [3]: https://app.datadoghq.com/security/code-security/iac
 [4]: /security/ticketing_integrations#bidirectional-ticket-syncing-with-jira
 [5]: /security/code_security/dev_tool_int/github_pull_requests/
 [6]: https://app.datadoghq.com/ci/code-analysis?
-[7]: /security/code_security/iac_security/exclusions/?tab=yaml
+[7]: /security/code_security/iac_security/configuration/
 [8]: /security/automation_pipelines/mute
 [9]: https://app.datadoghq.com/integrations/github/
 [10]: /security/automation_pipelines/