--- title: Rule Configuration description: >- Configure rules for Datadog Secret Scanning, including managed default rules and custom regex rules. breadcrumbs: Docs > Datadog Security > Code Security > Secret Scanning > Rule Configuration --- # Rule Configuration {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} By default, Datadog Secret Scanning scans enabled repositories with all [rules in the Secrets & Credentials category of Sensitive Data Scanner](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/library_rules.md?category=Secrets+and+credentials). You can customize which rules run, modify default rules, and create custom rules on the [**Code** configuration page](https://app.datadoghq.com/sensitive-data-scanner/configuration/code) in SDS. ## Scanning groups{% #scanning-groups %} There are two scanning groups that configure Secret Scanning rules. ### Managed scanning group{% #managed-scanning-group %} The managed scanning group is managed by Datadog's security team. It automatically receives new rules and updates to rules, and is enabled by default for all organizations. {% image source="https://docs.dd-static.net/images/code_security/secret_scanning/managed_scanning_group_not_customized.ffdd6ecb704c17a730d6c601ee17c20e.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/managed_scanning_group_not_customized.ffdd6ecb704c17a730d6c601ee17c20e.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Managed scanning group" /%} ### Custom rule scanning group{% #custom-rule-scanning-group %} The custom scanning group is managed by user orgs. You can [create and test custom regex rules](https://docs.datadoghq.com/security/sensitive_data_scanner/scanning_rules/custom_rules.md) or add rules from the SDS rules library. {% image source="https://docs.dd-static.net/images/code_security/secret_scanning/custom_scanning_group.a824a6f4a46de08c676e69d86f2d1a52.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/custom_scanning_group.a824a6f4a46de08c676e69d86f2d1a52.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Custom scanning group" /%} ## Configuring rules{% #configuring-rules %} ### Customizing default rules{% #customizing-default-rules %} To customize the severity and keywords of a managed default rule, hover over the rule and click the pencil icon on the right. {% image source="https://docs.dd-static.net/images/code_security/secret_scanning/customize_default_rule.254872b20310138ae05a2e4c064e4f40.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/customize_default_rule.254872b20310138ae05a2e4c064e4f40.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Edit rule" /%} The edit dialog opens. {% image source="https://docs.dd-static.net/images/code_security/secret_scanning/configure_default_rule.809c3ee9e289c2616737c8ec8d498d5c.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/configure_default_rule.809c3ee9e289c2616737c8ec8d498d5c.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Edit rule popup" /%} After editing the rule and clicking **Update** at the bottom right, the modified rule appears as **Customized** in the managed scanning group. {% image source="https://docs.dd-static.net/images/code_security/secret_scanning/disable_rule.0fd0c1f4a4126ddcdc1ceeb733279389.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/disable_rule.0fd0c1f4a4126ddcdc1ceeb733279389.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Customized secret scanning rule in managed group" /%} {% alert level="info" %} Customized rules do not automatically receive severity/default keyword updates from Datadog's security team. To restore a rule to its managed state, hover over a customized rule and click the restore icon at the right. {% /alert %} ### Creating custom rules{% #creating-custom-rules %} To create a custom rule, go to the custom scanning group and click **Add scanning rule** at the bottom or **Add rule** at the top right. Create your regex rule, then configure the severity and keywords. After they're enabled, your repositories are scanned with the new rules on the next commit. {% image source="https://docs.dd-static.net/images/code_security/secret_scanning/add_to_custom.a735f3c148bfaeead5ff687067599c29.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/secret_scanning/add_to_custom.a735f3c148bfaeead5ff687067599c29.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Add rule to custom group" /%} To update a custom rule, hover over the rule and click the pencil icon on the right. ### Disabling rules{% #disabling-rules %} Disable a rule by clicking the blue toggle on the right. {% alert level="info" %} After a specific rule is disabled, existing findings from that rule are auto-closed in Secret Scanning on the next commit. {% /alert %}