rust-sanitize 0.11.0

Deterministic one-way data sanitization engine
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# Datadog Agent — API keys, tokens, and credentials in agent flares and configs

# Datadog API key — 32 lowercase hex characters
# Appears in datadog.yaml, env vars, and flare diagnostic output
- kind: regex
  pattern: '\b([0-9a-f]{32})\b'
  category: auth_token
  label: dd_api_key_hex

# Datadog application key — 40 lowercase hex characters
- kind: regex
  pattern: '\b([0-9a-f]{40})\b'
  category: auth_token
  label: dd_app_key_hex

# DD_API_KEY / DD_APP_KEY in environment variable form (shell, docker-compose, k8s)
- kind: regex
  pattern: '(?i)\bDD_(?:API|APP)_KEY\s*[=:]\s*([0-9a-f]{32,40})\b'
  category: auth_token
  label: dd_env_api_key

# Cluster Agent auth token (arbitrary string, at least 32 chars)
- kind: regex
  pattern: '(?i)cluster[_-]?agent[_-]?auth[_-]?token\s*[=:]\s*["\x27]?([A-Za-z0-9\-._~+/]{32,})["\x27]?'
  category: auth_token
  label: dd_cluster_agent_token_inline

# Proxy URL with embedded credentials: http://user:pass@host:port
- kind: regex
  pattern: '(?i)https?://([^:@\s]+:[^@\s]+)@'
  category: auth_token
  label: dd_proxy_credentials

# SNMP community string in flare text output (show up as plain key: value lines)
- kind: regex
  pattern: '(?i)community[_\s]?string\s*[=:]\s*["\x27]?(\S{1,64})["\x27]?'
  category: auth_token
  label: dd_snmp_community_inline

# field-name signal: catch high-entropy password/secret/token values in
# nested integration configs and config_providers blocks
- kind: field-name
  pattern: "^(password|passwd|secret|auth_token|token)$"
  category: auth_token
  label: dd_credential_signal
  threshold: 3.0

- kind: field-name
  pattern: "^(api_key|app_key|apikey|appkey|client_secret|access_token)$"
  category: auth_token
  label: dd_key_signal
  threshold: 3.5

- kind: allow
  values:
    - "datadoghq.com"
    - "datadoghq.eu"
    - "us3.datadoghq.com"
    - "us5.datadoghq.com"
    - "ap1.datadoghq.com"
    - "ddog-gov.com"
    - "app.datadoghq.com"
    - "datadog"
    - "datadog-agent"
    - "localhost"
    - "127.0.0.1"
    - "0.0.0.0"
    - "::1"
    - "true"
    - "false"
    - "yes"
    - "no"
    - "null"
    - "none"
    - "nil"
    - "0"
    - "1"
    - "public"
    - "changeme"
    - "example"
    - "sample"
    - "placeholder"
    - "${*}"
    - "{{*}}"
    - "ENC[*]"
    - "<*>"
    - "example.com"
    - "example.org"