From 8eb71bb7c8a33e5744bf0f137cda275ed2e29aee Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 7 Nov 2025 10:15:18 -0700 Subject: [PATCH 1/2] Add section for PR Gates --- .../security/code_security/iac_security/_index.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/content/en/security/code_security/iac_security/_index.md b/content/en/security/code_security/iac_security/_index.md index 123019861c1be..7b9a8576a46c2 100644 --- a/content/en/security/code_security/iac_security/_index.md +++ b/content/en/security/code_security/iac_security/_index.md @@ -15,6 +15,9 @@ further_reading: - link: "/security/code_security/iac_security/iac_rules/" tag: "Documentation" text: "IaC Security Rules" + - link: "/pr_gates/" + tag: "Documentation" + text: "PR Gates" --- Datadog Infrastructure as Code (IaC) Security detects misconfigurations in Terraform and Kubernetes configurations before they're deployed. It flags issues such as missing encryption or overly permissive access in files stored in your connected GitHub, GitLab, or Azure DevOps repositories. Supported file types include standalone Terraform files, local modules, and Kubernetes manifests. @@ -31,6 +34,12 @@ IaC Security integrates with your repositories to continuously scan for misconfi When a pull request includes infrastructure-as-code changes, Datadog adds inline comments to flag any violations. Where applicable, it also suggests code fixes that can be applied directly in the pull request. You can also open a new pull request from Datadog to remediate a finding. For more information, see [Pull Request Comments][5]. +### Automatically block risky changes with PR Gates + +Use [PR Gates][11] to enforce security standards on infrastructure-as-code changes before they're merged. Datadog scans the IaC changes in each pull request and reports a pass or fail status to GitHub based on your configured severity threshold. + +By default, checks are informational, but you can make them blocking in GitHub to prevent merging when critical issues are detected. For setup instructions, see [Set up PR Gate Rules][12]. + ### View and filter findings After setting up IaC Security, each commit to a scanned repository triggers a scan. Findings are summarized on the [Code Security Vulnerabilities][3] page and grouped per repository on the [Code Security Repositories][6] page. @@ -85,4 +94,6 @@ Exclusions are managed through a configuration file or inline comments in your I [7]: /security/code_security/iac_security/exclusions/?tab=yaml [8]: /security/automation_pipelines/mute [9]: https://app.datadoghq.com/integrations/github/ -[10]: /security/automation_pipelines/ \ No newline at end of file +[10]: /security/automation_pipelines/ +[11]: /pr_gates/ +[12]: /pr_gates/setup \ No newline at end of file From ed54321ef8f3c26b5849eedaba5e72d4db6c3a1e Mon Sep 17 00:00:00 2001 From: DeForest Richards Date: Fri, 7 Nov 2025 11:33:27 -0700 Subject: [PATCH 2/2] Minor edits --- content/en/security/code_security/iac_security/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/code_security/iac_security/_index.md b/content/en/security/code_security/iac_security/_index.md index 7b9a8576a46c2..9110822f58955 100644 --- a/content/en/security/code_security/iac_security/_index.md +++ b/content/en/security/code_security/iac_security/_index.md @@ -36,9 +36,9 @@ When a pull request includes infrastructure-as-code changes, Datadog adds inline ### Automatically block risky changes with PR Gates -Use [PR Gates][11] to enforce security standards on infrastructure-as-code changes before they're merged. Datadog scans the IaC changes in each pull request and reports a pass or fail status to GitHub based on your configured severity threshold. +Use [PR Gates][11] to enforce security standards on infrastructure-as-code changes before they're merged. Datadog scans the IaC changes in each pull request, identifies any vulnerabilities above your configured severity threshold, and reports a pass or fail status to GitHub or Azure DevOps. -By default, checks are informational, but you can make them blocking in GitHub to prevent merging when critical issues are detected. For setup instructions, see [Set up PR Gate Rules][12]. +By default, checks are informational, but you can make them blocking in GitHub or Azure DevOps to prevent merging when critical issues are detected. For setup instructions, see [Set up PR Gate Rules][12]. ### View and filter findings