From a1e1dc5a68763539bd9a6b11e5efa8f69e2d149a Mon Sep 17 00:00:00 2001 From: Michelle Sun Date: Tue, 11 Nov 2025 14:20:15 -0500 Subject: [PATCH 1/8] adding secrets validation file --- .../secret_scanning/secret_validation.md | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 content/en/security/code_security/secret_scanning/secret_validation.md diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md new file mode 100644 index 0000000000000..fbac7d966f091 --- /dev/null +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -0,0 +1,79 @@ +--- +title: Secret Validation +aliases: /security/code_security/secret_scanning/secret_validation/ +--- +## About validity checks +For a subset of detections (see here), Datadog will check the validity of a detected secret at each scan. For these “live” validity checks, Datadog will generally make requests to provider endpoints to verify that a credential is “active”. Datadog will only make GET requests to endpoints that don’t return any sensitive data or PII, and only to check whether the detection can still be used to access these endpoints. + +Datadog will surface validation status in the explorer, so for secret types with validators, you can see if the detection is active or inactive. You can also filter for “Validation Status” in the facet bar in the explorer. + +For some secret types, we also employ static validation methods (i.e. computing a checksum) to verify the secret is not a false positive. However, static validation is **not shown**, and all references to validation in the explorer correspond to “live” validation. + +## List of supported validators +| Secret type | Static validator available | Live validator available | +|-------------|----------------------------|--------------------------| +|`adobe_access_token`|✓|✓| +|`adobe_refresh_token`|✓|✗| +|`adafruit_io_key`|✗|✓| +|`aiven_personal_token`|✗|✓| +|`anthropic's_claude_api_key`|✗|✓| +|`asana_oauth_token`|✓|✓| +|`asana_personal_access_token`|✗|✓| +|`atlassian_access_token`|✓|✓| +|`atlassian_refresh_token`|✓|✗| +|`aws_access_key_id`|✗|✓| +|`aws_secret_access_key`|✗|✓| +|`azure_container_registry_key`|✓|✗| +|`azure_entra_id_token`|✓|✗| +|`beamer_api_token`|✗|✓| +|`bitbucket_oauth_access_token`|✗|✓| +|`buildkite_access_token`|✗|✓| +|`circleci_personal_access_token`|✗|✓| +|`circleci_project_access_token`|✗|✓| +|`cloudflare_api_token`|✗|✓| +|`cloudflare_origin_ca_key`|✗|✓| +|`contentful_access_token`|✗|✓| +|`datadog_api_key`|✗|✓| +|`datadog_nonce_session_token`|✗|✓| +|`datadog_personal_access_token`|✗|✓| +|`discord_application_oauth_access_token`|✗|✓| +|`discord_application_token`|✗|✓| +|`discord_bot_token`|✗|✓| +|`docker_access_token`|✓|✓| +|`doppler_access_token`|✗|✓| +|`dropbox_access_token`|✗|✓| +|`duffel_test_access_token`|✗|✓| +|`fastly_api_token`|✗|✓| +|`flutterwave_api_secret_key`|✗|✓| +|`frame_io_developer_token`|✗|✓| +|`frame_io_oauth_session_secret`|✗|✓| +|`github_access_token`|✓|✓| +|`github_fine-grained_personal_access_token`|✗|✓| +|`heroku_api_key`|✗|✓| +|`hugging_face_access_token`|✗|✓| +|`intercom_access_token`|✗|✓| +|`launchdarkly_access_token`|✗|✓| +|`lichess_personal_access_token`|✗|✓| +|`non_expired_json_web_token`|✓|✗| +|`notion_integration_token`|✗|✓| +|`npm_access_token`|✓|✓| +|`openai_project_api_key`|✗|✓| +|`openai_user_api_key`|✗|✓| +|`oracle_access_token`|✓|✗| +|`pagerduty_api_token`|✗|✓| +|`perfect_cloud_api_key`|✗|✓| +|`postman_api_key`|✗|✓| +|`pulumi_access_token`|✗|✓| +|`rubygems_api_key`|✗|✓| +|`sendgrid_api_key`|✗|✓| +|`sentry_organization_token`|✗|✓| +|`sentry_personal_token`|✗|✓| +|`shippo_api_key`|✗|✓| +|`shippo_jwt`|✓|✓| +|`slack_access_token`|✗|✓| +|`snowflake_personal_access_token`|✓|✗| +|`square_access_token`|✗|✓| +|`typeform_personal_access_token`|✗|✓| +|`twilio_access_token`|✓|✗| +|`workos_api_key`|✗|✓| +|`xai_(grok)_api_key`|✗|✓| \ No newline at end of file From 3420bcb4b8a598ef351e53cee36aca65f0191336 Mon Sep 17 00:00:00 2001 From: Michelle Sun Date: Tue, 11 Nov 2025 14:26:13 -0500 Subject: [PATCH 2/8] adding secrets validation to nav --- config/_default/menus/main.en.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml index 0a978c2138c9b..52882215b7f30 100644 --- a/config/_default/menus/main.en.yaml +++ b/config/_default/menus/main.en.yaml @@ -7039,6 +7039,11 @@ menu: url: /security/code_security/secret_scanning/generic_ci_providers/ parent: sec_secret_scanning weight: 2 + - name: Secret Validation + identifier: sec_secret_scanning_secret_validation + url: /security/code_security/secret_scanning/secret_validation/ + parent: sec_secret_scanning + weight: 3 - name: Runtime Code Analysis (IAST) identifier: sec_iast url: /security/code_security/iast/ From d13dc1f69fe852316361c0511d5980b1bc5d6097 Mon Sep 17 00:00:00 2001 From: Michelle Sun Date: Tue, 11 Nov 2025 14:34:12 -0500 Subject: [PATCH 3/8] updating page --- .../code_security/secret_scanning/secret_validation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md index fbac7d966f091..53bf4ff6216e8 100644 --- a/content/en/security/code_security/secret_scanning/secret_validation.md +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -5,9 +5,9 @@ aliases: /security/code_security/secret_scanning/secret_validation/ ## About validity checks For a subset of detections (see here), Datadog will check the validity of a detected secret at each scan. For these “live” validity checks, Datadog will generally make requests to provider endpoints to verify that a credential is “active”. Datadog will only make GET requests to endpoints that don’t return any sensitive data or PII, and only to check whether the detection can still be used to access these endpoints. -Datadog will surface validation status in the explorer, so for secret types with validators, you can see if the detection is active or inactive. You can also filter for “Validation Status” in the facet bar in the explorer. +Datadog will surface validation status in the explorer, so for secret types with validators, you can see if the detection is active or inactive. You can also filter or query for “Validation Status” in the explorer. -For some secret types, we also employ static validation methods (i.e. computing a checksum) to verify the secret is not a false positive. However, static validation is **not shown**, and all references to validation in the explorer correspond to “live” validation. +For some secret types, we also employ static validation methods (i.e. computing a checksum) to verify the secret is not a false positive. However, static validation is **not shown**, and all references to validation in the explorer correspond to live validation. ## List of supported validators | Secret type | Static validator available | Live validator available | From 0511c006a8a9746e1b1eae194875f7243a12db21 Mon Sep 17 00:00:00 2001 From: Michelle Sun Date: Tue, 11 Nov 2025 14:38:35 -0500 Subject: [PATCH 4/8] update tags --- .../code_security/secret_scanning/secret_validation.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md index 53bf4ff6216e8..12d01dd14d754 100644 --- a/content/en/security/code_security/secret_scanning/secret_validation.md +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -1,6 +1,9 @@ --- title: Secret Validation aliases: /security/code_security/secret_scanning/secret_validation/ +is_beta: true +algolia: + tags: ['static analysis', 'ci pipeline', 'SAST', 'secret scanning'] --- ## About validity checks For a subset of detections (see here), Datadog will check the validity of a detected secret at each scan. For these “live” validity checks, Datadog will generally make requests to provider endpoints to verify that a credential is “active”. Datadog will only make GET requests to endpoints that don’t return any sensitive data or PII, and only to check whether the detection can still be used to access these endpoints. From fd03426c187c5de76a808c05f351448eace88b76 Mon Sep 17 00:00:00 2001 From: Michelle Sun Date: Tue, 11 Nov 2025 14:47:09 -0500 Subject: [PATCH 5/8] updating wording based on guid --- .../code_security/secret_scanning/secret_validation.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md index 12d01dd14d754..06f11a9067180 100644 --- a/content/en/security/code_security/secret_scanning/secret_validation.md +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -6,11 +6,11 @@ algolia: tags: ['static analysis', 'ci pipeline', 'SAST', 'secret scanning'] --- ## About validity checks -For a subset of detections (see here), Datadog will check the validity of a detected secret at each scan. For these “live” validity checks, Datadog will generally make requests to provider endpoints to verify that a credential is “active”. Datadog will only make GET requests to endpoints that don’t return any sensitive data or PII, and only to check whether the detection can still be used to access these endpoints. +For certain detections (see the list below), Datadog checks whether a detected secret is valid during scans. For these live validation checks, Datadog makes `GET` requests to provider endpoints to confirm that a credential is active. Datadog only makes requests to endpoints that do not return sensitive data or personally identifiable information (PII), and only to verify if the credential can still access the provider endpoint. -Datadog will surface validation status in the explorer, so for secret types with validators, you can see if the detection is active or inactive. You can also filter or query for “Validation Status” in the explorer. +Datadog displays the validation status in the explorer. For secret types with validation available, you can see if a secret is active or inactive. You can also filter or query detections by Validation Status. -For some secret types, we also employ static validation methods (i.e. computing a checksum) to verify the secret is not a false positive. However, static validation is **not shown**, and all references to validation in the explorer correspond to live validation. +For some secret types, Datadog uses static validation methods, such as computing a checksum, to confirm that a detection is not a false positive. Static validation results are not displayed in the explorer - all references to "validation" correspond to live validation results. ## List of supported validators | Secret type | Static validator available | Live validator available | From fd65837786cd4abbaec34b5bfc72a8b97a19c0bb Mon Sep 17 00:00:00 2001 From: Michelle Sun Date: Tue, 11 Nov 2025 14:50:30 -0500 Subject: [PATCH 6/8] updating wording again --- .../code_security/secret_scanning/secret_validation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md index 06f11a9067180..1e27c7d358cd0 100644 --- a/content/en/security/code_security/secret_scanning/secret_validation.md +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -8,9 +8,9 @@ algolia: ## About validity checks For certain detections (see the list below), Datadog checks whether a detected secret is valid during scans. For these live validation checks, Datadog makes `GET` requests to provider endpoints to confirm that a credential is active. Datadog only makes requests to endpoints that do not return sensitive data or personally identifiable information (PII), and only to verify if the credential can still access the provider endpoint. -Datadog displays the validation status in the explorer. For secret types with validation available, you can see if a secret is active or inactive. You can also filter or query detections by Validation Status. +For secret types with validation available, Datadog displays the validation status in the explorer as "Active" or "Inactive". You can also filter or query detections by their Validation Status. -For some secret types, Datadog uses static validation methods, such as computing a checksum, to confirm that a detection is not a false positive. Static validation results are not displayed in the explorer - all references to "validation" correspond to live validation results. +For some secret types, Datadog uses static validation methods, such as computing a checksum, to confirm that a detected secret is not a false positive. Static validation results are not displayed - all references to "validation" in the explorer correspond to live validation results. ## List of supported validators | Secret type | Static validator available | Live validator available | From d74f0317699405e7270594d70c16db5e0ef42ded Mon Sep 17 00:00:00 2001 From: michellesdawg Date: Tue, 11 Nov 2025 16:47:25 -0500 Subject: [PATCH 7/8] Update content/en/security/code_security/secret_scanning/secret_validation.md Co-authored-by: Ida Adjivon <65119712+iadjivon@users.noreply.github.com> --- .../security/code_security/secret_scanning/secret_validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md index 1e27c7d358cd0..9bdb00de11585 100644 --- a/content/en/security/code_security/secret_scanning/secret_validation.md +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -10,7 +10,7 @@ For certain detections (see the list below), Datadog checks whether a detected s For secret types with validation available, Datadog displays the validation status in the explorer as "Active" or "Inactive". You can also filter or query detections by their Validation Status. -For some secret types, Datadog uses static validation methods, such as computing a checksum, to confirm that a detected secret is not a false positive. Static validation results are not displayed - all references to "validation" in the explorer correspond to live validation results. +For some secret types, Datadog uses static validation methods, such as computing a checksum, to confirm that a detected secret is not a false positive. Static validation results are not displayed and all references to "validation" in the explorer correspond to live validation results. ## List of supported validators | Secret type | Static validator available | Live validator available | From 529d16aedc9ccf02e5b3897b9b358fd5fff032d1 Mon Sep 17 00:00:00 2001 From: michellesdawg Date: Wed, 12 Nov 2025 16:32:32 -0500 Subject: [PATCH 8/8] Update content/en/security/code_security/secret_scanning/secret_validation.md Co-authored-by: Taiki --- .../security/code_security/secret_scanning/secret_validation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/security/code_security/secret_scanning/secret_validation.md b/content/en/security/code_security/secret_scanning/secret_validation.md index 9bdb00de11585..007a446b40e03 100644 --- a/content/en/security/code_security/secret_scanning/secret_validation.md +++ b/content/en/security/code_security/secret_scanning/secret_validation.md @@ -6,7 +6,7 @@ algolia: tags: ['static analysis', 'ci pipeline', 'SAST', 'secret scanning'] --- ## About validity checks -For certain detections (see the list below), Datadog checks whether a detected secret is valid during scans. For these live validation checks, Datadog makes `GET` requests to provider endpoints to confirm that a credential is active. Datadog only makes requests to endpoints that do not return sensitive data or personally identifiable information (PII), and only to verify if the credential can still access the provider endpoint. +For certain detections (see the list below), Datadog checks whether a detected secret is valid during scans. For these live validation checks, Datadog makes API requests to provider endpoints to confirm that a credential is active. Datadog only makes requests to endpoints that do not return sensitive data or personally identifiable information (PII), and only to verify if the credential can still access the provider endpoint. For secret types with validation available, Datadog displays the validation status in the explorer as "Active" or "Inactive". You can also filter or query detections by their Validation Status.