---
title: Rule Configuration
description: >-
  Configure rules for Datadog Secret Scanning, including managed default rules
  and custom regex rules.
breadcrumbs: Docs > Datadog Security > Code Security > Secret Scanning > Rule Configuration
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# Rule Configuration

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/library_rules.md?category=Secrets+and+credentials). You can customize which rules run, modify default rules, and create custom rules on the [Code configuration page](https://app.datadoghq.com/sensitive-data-scanner/configuration/code) in SDS.

## Scanning groups{% #scanning-groups %}

There are two scanning groups that configure Secret Scanning rules.

### Managed scanning group{% #managed-scanning-group %}

The managed scanning group is managed by Datadog's security team. It automatically receives new rules and updates to rules, and is enabled by default for all organizations.

{% image
   source="https://docs.dd-static.net/images/code_security/secret_scanning/managed_scanning_group_not_customized.ffdd6ecb704c17a730d6c601ee17c20e.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/managed_scanning_group_not_customized.ffdd6ecb704c17a730d6c601ee17c20e.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Managed scanning group" /%}

### Custom rule scanning group{% #custom-rule-scanning-group %}

The custom scanning group is managed by user orgs. You can [create and test custom regex rules](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/custom_rules.md) or add rules from the SDS rules library.

{% image
   source="https://docs.dd-static.net/images/code_security/secret_scanning/custom_scanning_group.a824a6f4a46de08c676e69d86f2d1a52.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/custom_scanning_group.a824a6f4a46de08c676e69d86f2d1a52.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Custom scanning group" /%}

## Configuring rules{% #configuring-rules %}

### Customizing default rules{% #customizing-default-rules %}

To customize the severity and keywords of a managed default rule, hover over the rule and click the pencil icon on the right.

{% image
   source="https://docs.dd-static.net/images/code_security/secret_scanning/customize_default_rule.254872b20310138ae05a2e4c064e4f40.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/customize_default_rule.254872b20310138ae05a2e4c064e4f40.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Edit rule" /%}



The edit dialog opens.

{% image
   source="https://docs.dd-static.net/images/code_security/secret_scanning/configure_default_rule.809c3ee9e289c2616737c8ec8d498d5c.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/configure_default_rule.809c3ee9e289c2616737c8ec8d498d5c.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Edit rule popup" /%}



After editing the rule and clicking Update at the bottom right, the modified rule appears as Customized in the managed scanning group.

{% image
   source="https://docs.dd-static.net/images/code_security/secret_scanning/disable_rule.0fd0c1f4a4126ddcdc1ceeb733279389.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/disable_rule.0fd0c1f4a4126ddcdc1ceeb733279389.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Customized secret scanning rule in managed group" /%}

{% alert level="info" %}
Customized rules do not automatically receive severity/default keyword updates from Datadog's security team. To restore a rule to its managed state, hover over a customized rule and click the restore icon at the right.
{% /alert %}

### Creating custom rules{% #creating-custom-rules %}

To create a custom rule, go to the custom scanning group and click Add scanning rule at the bottom or Add rule at the top right. Create your regex rule, then configure the severity and keywords. After they're enabled, your repositories are scanned with the new rules on the next commit.

{% image
   source="https://docs.dd-static.net/images/code_security/secret_scanning/add_to_custom.a735f3c148bfaeead5ff687067599c29.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/add_to_custom.a735f3c148bfaeead5ff687067599c29.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Add rule to custom group" /%}

To update a custom rule, hover over the rule and click the pencil icon on the right.

### Disabling rules{% #disabling-rules %}

Disable a rule by clicking the blue toggle on the right.

{% alert level="info" %}
After a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning on the next commit.
{% /alert %}
