Secret Scanning

This product is not supported for your selected Datadog site. ().

Secret Scanning is not available for the site.

Datadog Secret Scanning scans code to find exposed secrets. Datadog also attempts to validate secrets and surface their status (valid, invalid) to help you prioritize secrets remediation.

Set up Secret Scanning

Scans can run in your CI/CD pipelines or directly in Datadog with hosted scanning (supported for GitHub, Azure DevOps, and GitLab). To get started, go to the Code Security Setup and click Activate scanning for your repositories or learn how to set up Secret Scanning using GitHub actions or with other CI providers.

Secret Scanning rules

Datadog Secret Scanning is powered by Sensitive Data Scanner (SDS) and includes all of the rules in the Secrets and credentials category of SDS. For a subset of detections, Secret Scanning automatically checks if detected keys are live with third-party active validation.

How it works

Secret Scanning integrates directly with your repositories to continuously detect leaked secrets before they become a threat. Built on Datadog’s static analyzer, it scans every commit across all branches of each configured repository. Findings are surfaced with repository, branch, and file path context so your team can identify, prioritize, and remediate exposed secrets at the source.

Key capabilities

Review exposed secrets in pull requests

When a pull request introduces a leaked secret, Datadog automatically adds inline comments to flag the exposure. You can also open a new pull request from Datadog to remediate the finding directly. For more information, see Pull Request Comments.

Automatically block leaks with PR Gates

Use PR Gates to prevent leaked secrets from being merged into your main branch. Datadog scans each pull request for exposed secrets and reports a pass or fail status directly to GitHub, Azure DevOps, or GitLab (in preview).

By default, checks are informational, but you can make them blocking to prevent merging when secrets are detected. For setup instructions, see Set up PR Gate Rules.

Inline exclusions

You can add inline exclusions to prevent certain findings from appearing in scan results. Comment dd-no-secrets to ignore secrets detected on the next line.

View and filter findings

After setting up Secret Scanning, each commit to a scanned repository triggers a scan. Findings are summarized on the Code Security Vulnerabilities page and grouped per repository on the Code Security Repositories page.

Use filters to narrow results by facets such as:

  • Severity
  • Status (open, muted, fixed)
  • Validation Status
  • Team
  • Repository visibility

Create Jira tickets from findings

You can create a bidirectional Jira ticket directly from any finding to track and remediate issues in your existing workflows. Ticket status remains synced between Datadog and Jira. For more information, see Bidirectional ticket syncing with Jira.

Declare an incident from a leaked secret

Declare an incident from a finding by clicking Declare incident in the Secret Scanning side panel. The incident is pre-filled with all detection metadata.

Mute findings

To suppress a finding, click Mute in the finding details panel. This opens a workflow where you can create a Muting Rule for context-aware filtering by tag values (for example, by repository). Muting a finding hides it and excludes it from reports.

To restore a muted finding, click Unmute in the details panel. You can also use the Status filter on the Code Security Vulnerabilities page to review muted findings.

Next steps

  1. Set up Secret Scanning in your environment.
  2. Set up Automation Pipelines to automate initial triage.
  3. Review findings on the Code Security Vulnerabilities page.

Further Reading

Additional helpful documentation, links, and articles:

Detect and block exposed credentials with Datadog Secret ScanningBLOG more more