feat: add secrets discovery support

docs: Updated method documentation

PiperOrigin-RevId: 636593602

google/privacy/dlp/v2/dlp.proto

@@ -1853,7 +1853,7 @@ message InspectDataSourceDetails {
     // inspect job.
     repeated InfoTypeStats info_type_stats = 3;
 
-    // Number of rows scanned post sampling and time filtering (Applicable for
+    // Number of rows scanned after sampling and time filtering (applicable for
     // row based stores such as BigQuery).
     int64 num_rows_processed = 5;
 
@@ -1989,6 +1989,9 @@ message InfoTypeCategory {
     // The infoType is typically used in Australia.
     AUSTRALIA = 3;
 
+    // The infoType is typically used in Azerbaijan.
+    AZERBAIJAN = 48;
+
     // The infoType is typically used in Belgium.
     BELGIUM = 4;
 
@@ -3938,7 +3941,7 @@ message Error {
   repeated google.protobuf.Timestamp timestamps = 2;
 }
 
-// Contains a configuration to make api calls on a repeating basis.
+// Contains a configuration to make API calls on a repeating basis.
 // See
 // https://cloud.google.com/sensitive-data-protection/docs/concepts-job-triggers
 // to learn more.
@@ -4773,13 +4776,9 @@ message DataProfileAction {
     // New profile (not a re-profile).
     NEW_PROFILE = 1;
 
-    // Changed one of the following profile metrics:
-    // * Data risk score
-    // * Sensitivity score
-    // * Resource visibility
-    // * Encryption type
-    // * Predicted infoTypes
-    // * Other infoTypes
+    // One of the following profile metrics changed: Data risk score,
+    // Sensitivity score, Resource visibility, Encryption type, Predicted
+    // infoTypes, Other infoTypes
     CHANGED_PROFILE = 2;
 
     // Table data risk score or sensitivity score increased.
@@ -5036,6 +5035,11 @@ message DiscoveryTarget {
     // Cloud SQL target for Discovery. The first target to match a table will be
     // the one applied.
     CloudSqlDiscoveryTarget cloud_sql_target = 2;
+
+    // Discovery target that looks for credentials and secrets stored in cloud
+    // resource metadata and reports them as vulnerabilities to Security Command
+    // Center. Only one target of this type is allowed.
+    SecretsDiscoveryTarget secrets_target = 3;
   }
 }
 
@@ -5088,6 +5092,11 @@ message DiscoveryBigQueryFilter {
     // configuration. If none is specified, a default one will be added
     // automatically.
     AllOtherBigQueryTables other_tables = 2;
+
+    // The table to scan. Discovery configurations including this can only
+    // include one DiscoveryTarget (the DiscoveryTarget with this
+    // TableReference).
+    TableReference table_reference = 3;
   }
 }
 
@@ -5272,7 +5281,7 @@ message DatabaseResourceRegexes {
 // under the google/re2 repository on GitHub.
 message DatabaseResourceRegex {
   // For organizations, if unset, will match all projects. Has no effect
-  // for Data Profile configurations created within a project.
+  // for configurations created within a project.
   string project_id_regex = 1;
 
   // Regex to test the instance name against. If empty, all instances match.
@@ -5294,12 +5303,19 @@ message AllOtherDatabaseResources {}
 // Identifies a single database resource, like a table within a database.
 message DatabaseResourceReference {
   // Required. If within a project-level config, then this must match the
-  // config's project id.
+  // config's project ID.
   string project_id = 1 [(google.api.field_behavior) = REQUIRED];
 
   // Required. The instance where this resource is located. For example: Cloud
-  // SQL's instance id.
+  // SQL instance ID.
   string instance = 2 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. Name of a database within the instance.
+  string database = 3 [(google.api.field_behavior) = REQUIRED];
+
+  // Required. Name of a database resource, for example, a table within the
+  // database.
+  string database_resource = 4 [(google.api.field_behavior) = REQUIRED];
 }
 
 // Requirements that must be true before a table is profiled for the
@@ -5313,10 +5329,10 @@ message DiscoveryCloudSqlConditions {
     // Include all supported database engines.
     ALL_SUPPORTED_DATABASE_ENGINES = 1;
 
-    // MySql database.
+    // MySQL database.
     MYSQL = 2;
 
-    // PostGres database.
+    // PostgreSQL database.
     POSTGRES = 3;
   }
 
@@ -5347,14 +5363,14 @@ message DiscoveryCloudSqlConditions {
 // New tables are scanned as quickly as possible depending on system
 // capacity.
 message DiscoveryCloudSqlGenerationCadence {
-  // How frequency to modify the profile when the table's schema is modified.
+  // How frequently to modify the profile when the table's schema is modified.
   message SchemaModifiedCadence {
     // The type of modification that causes a profile update.
     enum CloudSqlSchemaModification {
       // Unused.
       SQL_SCHEMA_MODIFICATION_UNSPECIFIED = 0;
 
-      // New columns has appeared.
+      // New columns have appeared.
       NEW_COLUMNS = 1;
 
       // Columns have been removed from the table.
@@ -5375,11 +5391,25 @@ message DiscoveryCloudSqlGenerationCadence {
 
   // Data changes (non-schema changes) in Cloud SQL tables can't trigger
   // reprofiling. If you set this field, profiles are refreshed at this
-  // frequency regardless of whether the underlying tables have changes.
+  // frequency regardless of whether the underlying tables have changed.
   // Defaults to never.
   DataProfileUpdateFrequency refresh_frequency = 2;
 }
 
+// Discovery target for credentials and secrets in cloud resource metadata.
+//
+// This target does not include any filtering or frequency controls. Cloud
+// DLP will scan cloud resource metadata for secrets daily.
+//
+// No inspect template should be included in the discovery config for a
+// security benchmarks scan. Instead, the built-in list of secrets and
+// credentials infoTypes will be used (see
+// https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets).
+//
+// Credentials and secrets discovered will be reported as vulnerabilities to
+// Security Command Center.
+message SecretsDiscoveryTarget {}
+
 // The location to begin a discovery scan. Denotes an organization ID or folder
 // ID within an organization.
 message DiscoveryStartingLocation {
@@ -6523,8 +6553,8 @@ enum ResourceVisibility {
   RESOURCE_VISIBILITY_PUBLIC = 10;
 
   // May contain public items.
-  // For example, if a GCS bucket has uniform bucket level access disabled, some
-  // objects inside it may be public.
+  // For example, if a Cloud Storage bucket has uniform bucket level access
+  // disabled, some objects inside it may be public.
   RESOURCE_VISIBILITY_INCONCLUSIVE = 15;
 
   // Visible only to specific users.
@@ -7049,8 +7079,7 @@ message ListConnectionsRequest {
   // results. If set, all other request fields must match the original request.
   string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. * Supported fields/values
-  //     - `state` - MISSING|AVAILABLE|ERROR
+  // Optional. Supported field/value: `state` - MISSING|AVAILABLE|ERROR
   string filter = 4 [(google.api.field_behavior) = OPTIONAL];
 }
 
@@ -7072,8 +7101,7 @@ message SearchConnectionsRequest {
   // results. If set, all other request fields must match the original request.
   string page_token = 3 [(google.api.field_behavior) = OPTIONAL];
 
-  // Optional. * Supported fields/values
-  //     - `state` - MISSING|AVAILABLE|ERROR
+  // Optional. Supported field/value: - `state` - MISSING|AVAILABLE|ERROR
   string filter = 4 [(google.api.field_behavior) = OPTIONAL];
 }
 
@@ -7168,10 +7196,10 @@ enum ConnectionState {
   // A configured connection that encountered errors during its last use. It
   // will not be used again until it is set to AVAILABLE.
   //
-  // If the resolution requires external action, then a request to set the
-  // status to AVAILABLE will mark this connection for use. Otherwise, any
-  // changes to the connection properties will automatically mark it as
-  // AVAILABLE.
+  // If the resolution requires external action, then the client must send a
+  // request to set the status to AVAILABLE when the connection is ready for
+  // use. If the resolution doesn't require external action, then any changes to
+  // the connection properties will automatically mark it as AVAILABLE.
   ERROR = 3;
 }
 
@@ -7189,8 +7217,8 @@ message SecretManagerCredential {
       [(google.api.field_behavior) = REQUIRED];
 }
 
-// Use IAM auth to connect. This requires the Cloud SQL IAM feature to be
-// enabled on the instance, which is not the default for Cloud SQL.
+// Use IAM authentication to connect. This requires the Cloud SQL IAM feature
+// to be enabled on the instance, which is not the default for Cloud SQL.
 // See https://cloud.google.com/sql/docs/postgres/authentication and
 // https://cloud.google.com/sql/docs/mysql/authentication.
 message CloudSqlIamCredential {}
@@ -7200,13 +7228,13 @@ message CloudSqlProperties {
   // Database engine of a Cloud SQL instance.
   // New values may be added over time.
   enum DatabaseEngine {
-    // An engine that is not currently supported by SDP.
+    // An engine that is not currently supported by Sensitive Data Protection.
     DATABASE_ENGINE_UNKNOWN = 0;
 
     // Cloud SQL for MySQL instance.
     DATABASE_ENGINE_MYSQL = 1;
 
-    // Cloud SQL for Postgres instance.
+    // Cloud SQL for PostgreSQL instance.
     DATABASE_ENGINE_POSTGRES = 2;
   }
 

google/privacy/dlp/v2/storage.proto

@@ -859,6 +859,16 @@ message BigQueryTable {
   string table_id = 3;
 }
 
+// Message defining the location of a BigQuery table with the projectId inferred
+// from the parent project.
+message TableReference {
+  // Dataset ID of the table.
+  string dataset_id = 1;
+
+  // Name of the table.
+  string table_id = 2;
+}
+
 // Message defining a field of a BigQuery table.
 message BigQueryField {
   // Source table of the field.