Skip to content

Onboard integrations to security validation#23109

Merged
dkirov-dd merged 13 commits intomasterfrom
noueman/allow-require-trusted-provider-in-spec-validator
Apr 1, 2026
Merged

Onboard integrations to security validation#23109
dkirov-dd merged 13 commits intomasterfrom
noueman/allow-require-trusted-provider-in-spec-validator

Conversation

@NouemanKHAL
Copy link
Copy Markdown
Member

@NouemanKHAL NouemanKHAL commented Mar 31, 2026
edited
Loading

What does this PR do?

  • Adds trusted provider validation to all integration properties that represent either a command or a file path.
  • Bumps datadog-checks-base minimum version to 37.33.0 which supporst security validation

Motivation

Follow-up for #22226 where we only kept datadog_checks_base related changes.

Everything was already reviewed in the PR above, we just separated them as these changes required a minimum_base_check bump. (will be done later in a separate PR)

require_trusted_provider Properties

Shared template properties

These propagate to all integrations that include the respective template.

Template Properties
http kerberos_cache, kerberos_keytab, auth_token, tls_cert, tls_private_key, tls_ca_cert
tls tls_ca_cert, tls_cert, tls_private_key
jmx tools_jar_path, java_bin_path, trust_store_path, key_store_path
openmetrics_legacy_base bearer_token_path

Integration-specific properties

Integration Properties
cacti rrd_path, rrd_whitelist
cassandra_nodetool nodetool
ceph ceph_cmd
cisco_aci cert_key_path
clickhouse tls_ca_cert
cloudera ssl_ca_cert, cert_file, key_file
disk blkid_cache_file
foundationdb cluster_file, tls_certificate_file, tls_key_file, tls_ca_file
guarddog guarddog_path, dependency_file_path
gunicorn gunicorn
infiniband infiniband_path
jboss_wildfly custom_jar_paths
kafka_actions schema_registry_tls_ca_cert, schema_registry_tls_cert, schema_registry_tls_key
kafka_consumer tls_crlfile
kube_apiserver_metrics bearer_token_path
kube_scheduler bearer_token_path
lustre lctl_path, lnetctl_path, lfs_path
mac_audit_logs AUDIT_LOGS_DIR_PATH
mapr stream_path
mongo tls_certificate_key_file, tls_ca_file
mysql sock, defaults_file
nagios nagios_conf
network conntrack_path
nfsstat nfsiostat_path
openstack_controller openstack_config_file_path
oracle jdbc_driver_path, jdbc_truststore_path
postfix directory, config_directory
postgres ssl_root_cert, ssl_cert, ssl_key
process procfs_path, pid_file
redisdb unix_socket_path, ssl_keyfile, ssl_certfile, ssl_ca_certs
slurm slurm_binaries_dir, sinfo_path, sacct_path, sdiag_path, sshare_path, squeue_path, scontrol_path
snowflake ocsp_response_cache_filename, token_path, private_key_path
ssh_check private_key_file
tibco_ems tibemsadmin, script_path
tls local_cert_path
tokumx ssl_keyfile, ssl_certfile, ssl_ca_certs
varnish varnishstat, varnishadm, secretfile
vault client_token_path

Review checklist (to be filled by reviewers)

  • Feature or bugfix MUST have appropriate tests (unit, integration, e2e)
  • Add the qa/skip-qa label if the PR doesn't need to be tested during QA.
  • If you need to backport this PR to another branch, you can add the backport/<branch-name> label to the PR and it will automatically open a backport PR once this one is merged

@NouemanKHAL @claude
Allow require_trusted_provider as a valid value-level field in spec.yaml
5160934 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NouemanKHAL NouemanKHAL requested a review from a team as a code owner March 31, 2026 11:21
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 31, 2026
edited
Loading

⚠️ The qa/skip-qa label has been added with shippable changes

The following files, which will be shipped with the agent, were modified in this PR and
the qa/skip-qa label has been added.

You can ignore this if you are sure the changes in this PR do not require QA. Otherwise, consider removing the label.

List of modified files that will be shipped with the agent 
activemq/changelog.d/23109.added
activemq_xml/changelog.d/23109.added
aerospike/changelog.d/23109.added
airflow/changelog.d/23109.added
amazon_msk/changelog.d/23109.added
ambari/changelog.d/23109.added
apache/changelog.d/23109.added
appgate_sdp/changelog.d/23109.added
arangodb/changelog.d/23109.added
argo_rollouts/changelog.d/23109.added
argo_workflows/changelog.d/23109.added
argocd/changelog.d/23109.added
avi_vantage/changelog.d/23109.added
aws_neuron/changelog.d/23109.added
azure_iot_edge/changelog.d/23109.added
bentoml/changelog.d/23109.added
boundary/changelog.d/23109.added
cacti/changelog.d/23109.added
calico/changelog.d/23109.added
cassandra/changelog.d/23109.added
cassandra_nodetool/changelog.d/23109.added
celery/changelog.d/23109.added
ceph/changelog.d/23109.added
cert_manager/changelog.d/23109.added
cilium/changelog.d/23109.added
cisco_aci/changelog.d/23109.added
citrix_hypervisor/changelog.d/23109.added
clickhouse/changelog.d/23109.added
cloud_foundry_api/changelog.d/23109.added
cloudera/changelog.d/23109.added
cockroachdb/changelog.d/23109.added
confluent_platform/changelog.d/23109.added
consul/changelog.d/23109.added
control_m/changelog.d/23109.added
coredns/changelog.d/23109.added
couch/changelog.d/23109.added
couchbase/changelog.d/23109.added
crio/changelog.d/23109.added
datadog_cluster_agent/changelog.d/23109.added
datadog_csi_driver/changelog.d/23109.added
dcgm/changelog.d/23109.added
disk/changelog.d/23109.added
druid/changelog.d/23109.added
ecs_fargate/changelog.d/23109.added
eks_fargate/changelog.d/23109.added
elastic/changelog.d/23109.added
envoy/changelog.d/23109.added
etcd/changelog.d/23109.added
external_dns/changelog.d/23109.added
falco/changelog.d/23109.added
fluentd/changelog.d/23109.added
fluxcd/changelog.d/23109.added
fly_io/changelog.d/23109.added
foundationdb/changelog.d/23109.added
gitlab/changelog.d/23109.added
gitlab_runner/changelog.d/23109.added
go_expvar/changelog.d/23109.added
guarddog/changelog.d/23109.added
gunicorn/changelog.d/23109.added
haproxy/changelog.d/23109.added
harbor/changelog.d/23109.added
hazelcast/changelog.d/23109.added
hdfs_datanode/changelog.d/23109.added
hdfs_namenode/changelog.d/23109.added
hive/changelog.d/23109.added
hivemq/changelog.d/23109.added
http_check/changelog.d/23109.added
hudi/changelog.d/23109.added
hugging_face_tgi/changelog.d/23109.added
ibm_was/changelog.d/23109.added
ignite/changelog.d/23109.added
impala/changelog.d/23109.added
infiniband/changelog.d/23109.added
istio/changelog.d/23109.added
jboss_wildfly/changelog.d/23109.added
kafka/changelog.d/23109.added
kafka_actions/changelog.d/23109.added
kafka_consumer/changelog.d/23109.added
karpenter/changelog.d/23109.added
keda/changelog.d/23109.added
kong/changelog.d/23109.added
krakend/changelog.d/23109.added
kube_apiserver_metrics/changelog.d/23109.added
kube_controller_manager/changelog.d/23109.added
kube_dns/changelog.d/23109.added
kube_metrics_server/changelog.d/23109.added
kube_proxy/changelog.d/23109.added
kube_scheduler/changelog.d/23109.added
kubeflow/changelog.d/23109.added
kubelet/changelog.d/23109.added
kubernetes_cluster_autoscaler/changelog.d/23109.added
kubernetes_state/changelog.d/23109.added
kubevirt_api/changelog.d/23109.added
kubevirt_controller/changelog.d/23109.added
kubevirt_handler/changelog.d/23109.added
kuma/changelog.d/23109.added
kyototycoon/changelog.d/23109.added
kyverno/changelog.d/23109.added
lighttpd/changelog.d/23109.added
linkerd/changelog.d/23109.added
litellm/changelog.d/23109.added
lustre/changelog.d/23109.added
mac_audit_logs/changelog.d/23109.added
mapr/changelog.d/23109.added
mapreduce/changelog.d/23109.added
marathon/changelog.d/23109.added
marklogic/changelog.d/23109.added
mesos_master/changelog.d/23109.added
mesos_slave/changelog.d/23109.added
milvus/changelog.d/23109.added
mongo/changelog.d/23109.added
mysql/changelog.d/23109.added
n8n/changelog.d/23109.added
nagios/changelog.d/23109.added
network/changelog.d/23109.added
nfsstat/changelog.d/23109.added
nginx/changelog.d/23109.added
nginx_ingress_controller/changelog.d/23109.added
nutanix/changelog.d/23109.added
nvidia_nim/changelog.d/23109.added
nvidia_triton/changelog.d/23109.added
octopus_deploy/changelog.d/23109.added
openmetrics/changelog.d/23109.added
openstack_controller/changelog.d/23109.added
php_fpm/changelog.d/23109.added
postfix/changelog.d/23109.added
postgres/changelog.d/23109.added
powerdns_recursor/changelog.d/23109.added
presto/changelog.d/23109.added
process/changelog.d/23109.added
proxmox/changelog.d/23109.added
proxysql/changelog.d/23109.added
pulsar/changelog.d/23109.added
quarkus/changelog.d/23109.added
rabbitmq/changelog.d/23109.added
ray/changelog.d/23109.added
redisdb/changelog.d/23109.added
riak/changelog.d/23109.added
sap_hana/changelog.d/23109.added
scylla/changelog.d/23109.added
silk/changelog.d/23109.added
singlestore/changelog.d/23109.added
slurm/changelog.d/23109.added
snowflake/changelog.d/23109.added
solr/changelog.d/23109.added
sonarqube/changelog.d/23109.added
spark/changelog.d/23109.added
squid/changelog.d/23109.added
ssh_check/changelog.d/23109.added
strimzi/changelog.d/23109.added
supabase/changelog.d/23109.added
teamcity/changelog.d/23109.added
tekton/changelog.d/23109.added
teleport/changelog.d/23109.added
temporal/changelog.d/23109.added
tibco_ems/changelog.d/23109.added
tls/changelog.d/23109.added
tokumx/changelog.d/23109.added
tomcat/changelog.d/23109.added
torchserve/changelog.d/23109.added
traefik_mesh/changelog.d/23109.added
traffic_server/changelog.d/23109.added
twistlock/changelog.d/23109.added
varnish/changelog.d/23109.added
vault/changelog.d/23109.added
velero/changelog.d/23109.added
vertica/changelog.d/23109.added
vllm/changelog.d/23109.added
voltdb/changelog.d/23109.added
weaviate/changelog.d/23109.added
weblogic/changelog.d/23109.added
yarn/changelog.d/23109.added
zk/changelog.d/23109.added
activemq/datadog_checks/activemq/config_models/instance.py
activemq_xml/datadog_checks/activemq_xml/config_models/instance.py
aerospike/datadog_checks/aerospike/config_models/instance.py
airflow/datadog_checks/airflow/config_models/instance.py
amazon_msk/datadog_checks/amazon_msk/config_models/instance.py
ambari/datadog_checks/ambari/config_models/instance.py
apache/datadog_checks/apache/config_models/instance.py
appgate_sdp/datadog_checks/appgate_sdp/config_models/instance.py
arangodb/datadog_checks/arangodb/config_models/instance.py
argo_rollouts/datadog_checks/argo_rollouts/config_models/instance.py
argo_workflows/datadog_checks/argo_workflows/config_models/instance.py
argocd/datadog_checks/argocd/config_models/instance.py
avi_vantage/datadog_checks/avi_vantage/config_models/instance.py
aws_neuron/datadog_checks/aws_neuron/config_models/instance.py
azure_iot_edge/datadog_checks/azure_iot_edge/config_models/instance.py
bentoml/datadog_checks/bentoml/config_models/instance.py
boundary/datadog_checks/boundary/config_models/instance.py
cacti/datadog_checks/cacti/config_models/instance.py
calico/datadog_checks/calico/config_models/instance.py
cassandra/datadog_checks/cassandra/config_models/instance.py
cassandra_nodetool/datadog_checks/cassandra_nodetool/config_models/instance.py
cassandra_nodetool/datadog_checks/cassandra_nodetool/config_models/shared.py
celery/datadog_checks/celery/config_models/instance.py
ceph/datadog_checks/ceph/config_models/instance.py
cert_manager/datadog_checks/cert_manager/config_models/instance.py
cilium/datadog_checks/cilium/config_models/instance.py
cisco_aci/datadog_checks/cisco_aci/config_models/instance.py
citrix_hypervisor/datadog_checks/citrix_hypervisor/config_models/instance.py
clickhouse/datadog_checks/clickhouse/config_models/instance.py
cloud_foundry_api/datadog_checks/cloud_foundry_api/config_models/instance.py
cloudera/datadog_checks/cloudera/config_models/instance.py
cockroachdb/datadog_checks/cockroachdb/config_models/instance.py
confluent_platform/datadog_checks/confluent_platform/config_models/instance.py
consul/datadog_checks/consul/config_models/instance.py
control_m/datadog_checks/control_m/config_models/instance.py
coredns/datadog_checks/coredns/config_models/instance.py
couch/datadog_checks/couch/config_models/instance.py
couchbase/datadog_checks/couchbase/config_models/instance.py
crio/datadog_checks/crio/config_models/instance.py
datadog_cluster_agent/datadog_checks/datadog_cluster_agent/config_models/instance.py
datadog_csi_driver/datadog_checks/datadog_csi_driver/config_models/instance.py
dcgm/datadog_checks/dcgm/config_models/instance.py
disk/datadog_checks/disk/config_models/instance.py
druid/datadog_checks/druid/config_models/instance.py
ecs_fargate/datadog_checks/ecs_fargate/config_models/instance.py
eks_fargate/datadog_checks/eks_fargate/config_models/instance.py
elastic/datadog_checks/elastic/config_models/instance.py
envoy/datadog_checks/envoy/config_models/instance.py
etcd/datadog_checks/etcd/config_models/instance.py
external_dns/datadog_checks/external_dns/config_models/instance.py
falco/datadog_checks/falco/config_models/instance.py
fluentd/datadog_checks/fluentd/config_models/instance.py
fluxcd/datadog_checks/fluxcd/config_models/instance.py
fly_io/datadog_checks/fly_io/config_models/instance.py
foundationdb/datadog_checks/foundationdb/config_models/instance.py
gitlab/datadog_checks/gitlab/config_models/instance.py
gitlab_runner/datadog_checks/gitlab_runner/config_models/instance.py
go_expvar/datadog_checks/go_expvar/config_models/instance.py
guarddog/datadog_checks/guarddog/config_models/instance.py
guarddog/datadog_checks/guarddog/config_models/shared.py
gunicorn/datadog_checks/gunicorn/config_models/instance.py
gunicorn/datadog_checks/gunicorn/config_models/shared.py
haproxy/datadog_checks/haproxy/config_models/instance.py
harbor/datadog_checks/harbor/config_models/instance.py
hazelcast/datadog_checks/hazelcast/config_models/instance.py
hdfs_datanode/datadog_checks/hdfs_datanode/config_models/instance.py
hdfs_namenode/datadog_checks/hdfs_namenode/config_models/instance.py
hive/datadog_checks/hive/config_models/instance.py
hivemq/datadog_checks/hivemq/config_models/instance.py
http_check/datadog_checks/http_check/config_models/instance.py
hudi/datadog_checks/hudi/config_models/instance.py
hugging_face_tgi/datadog_checks/hugging_face_tgi/config_models/instance.py
ibm_was/datadog_checks/ibm_was/config_models/instance.py
ignite/datadog_checks/ignite/config_models/instance.py
impala/datadog_checks/impala/config_models/instance.py
infiniband/datadog_checks/infiniband/config_models/instance.py
istio/datadog_checks/istio/config_models/instance.py
jboss_wildfly/datadog_checks/jboss_wildfly/config_models/instance.py
jboss_wildfly/datadog_checks/jboss_wildfly/config_models/shared.py
kafka/datadog_checks/kafka/config_models/instance.py
kafka_actions/datadog_checks/kafka_actions/config_models/instance.py
kafka_consumer/datadog_checks/kafka_consumer/config_models/instance.py
karpenter/datadog_checks/karpenter/config_models/instance.py
keda/datadog_checks/keda/config_models/instance.py
kong/datadog_checks/kong/config_models/instance.py
krakend/datadog_checks/krakend/config_models/instance.py
kube_apiserver_metrics/datadog_checks/kube_apiserver_metrics/config_models/instance.py
kube_controller_manager/datadog_checks/kube_controller_manager/config_models/instance.py
kube_dns/datadog_checks/kube_dns/config_models/instance.py
kube_metrics_server/datadog_checks/kube_metrics_server/config_models/instance.py
kube_proxy/datadog_checks/kube_proxy/config_models/instance.py
kube_scheduler/datadog_checks/kube_scheduler/config_models/instance.py
kubeflow/datadog_checks/kubeflow/config_models/instance.py
kubelet/datadog_checks/kubelet/config_models/instance.py
kubernetes_cluster_autoscaler/datadog_checks/kubernetes_cluster_autoscaler/config_models/instance.py
kubernetes_state/datadog_checks/kubernetes_state/config_models/instance.py
kubevirt_api/datadog_checks/kubevirt_api/config_models/instance.py
kubevirt_controller/datadog_checks/kubevirt_controller/config_models/instance.py
kubevirt_handler/datadog_checks/kubevirt_handler/config_models/instance.py
kuma/datadog_checks/kuma/config_models/instance.py
kyototycoon/datadog_checks/kyototycoon/config_models/instance.py
kyverno/datadog_checks/kyverno/config_models/instance.py
lighttpd/datadog_checks/lighttpd/config_models/instance.py
linkerd/datadog_checks/linkerd/config_models/instance.py
litellm/datadog_checks/litellm/config_models/instance.py
lustre/datadog_checks/lustre/config_models/instance.py
mac_audit_logs/datadog_checks/mac_audit_logs/config_models/instance.py
mapr/datadog_checks/mapr/config_models/instance.py
mapreduce/datadog_checks/mapreduce/config_models/instance.py
marathon/datadog_checks/marathon/config_models/instance.py
marklogic/datadog_checks/marklogic/config_models/instance.py
mesos_master/datadog_checks/mesos_master/config_models/instance.py
mesos_slave/datadog_checks/mesos_slave/config_models/instance.py
milvus/datadog_checks/milvus/config_models/instance.py
mongo/datadog_checks/mongo/config_models/instance.py
mysql/datadog_checks/mysql/config_models/instance.py
n8n/datadog_checks/n8n/config_models/instance.py
nagios/datadog_checks/nagios/config_models/instance.py
network/datadog_checks/network/config_models/instance.py
nfsstat/datadog_checks/nfsstat/config_models/shared.py
nginx/datadog_checks/nginx/config_models/instance.py
nginx_ingress_controller/datadog_checks/nginx_ingress_controller/config_models/instance.py
nutanix/datadog_checks/nutanix/config_models/instance.py
nvidia_nim/datadog_checks/nvidia_nim/config_models/instance.py
nvidia_triton/datadog_checks/nvidia_triton/config_models/instance.py
octopus_deploy/datadog_checks/octopus_deploy/config_models/instance.py
openmetrics/datadog_checks/openmetrics/config_models/instance.py
openstack_controller/datadog_checks/openstack_controller/config_models/instance.py
php_fpm/datadog_checks/php_fpm/config_models/instance.py
postfix/datadog_checks/postfix/config_models/instance.py
postfix/datadog_checks/postfix/data/conf.yaml.example
postgres/datadog_checks/postgres/config_models/instance.py
powerdns_recursor/datadog_checks/powerdns_recursor/config_models/instance.py
presto/datadog_checks/presto/config_models/instance.py
process/datadog_checks/process/config_models/instance.py
process/datadog_checks/process/config_models/shared.py
proxmox/datadog_checks/proxmox/config_models/instance.py
proxysql/datadog_checks/proxysql/config_models/instance.py
pulsar/datadog_checks/pulsar/config_models/instance.py
quarkus/datadog_checks/quarkus/config_models/instance.py
rabbitmq/datadog_checks/rabbitmq/config_models/instance.py
ray/datadog_checks/ray/config_models/instance.py
redisdb/datadog_checks/redisdb/config_models/instance.py
riak/datadog_checks/riak/config_models/instance.py
sap_hana/datadog_checks/sap_hana/config_models/instance.py
scylla/datadog_checks/scylla/config_models/instance.py
silk/datadog_checks/silk/config_models/instance.py
singlestore/datadog_checks/singlestore/config_models/instance.py
slurm/datadog_checks/slurm/config_models/instance.py
slurm/datadog_checks/slurm/config_models/shared.py
snowflake/datadog_checks/snowflake/config_models/instance.py
solr/datadog_checks/solr/config_models/instance.py
sonarqube/datadog_checks/sonarqube/config_models/instance.py
spark/datadog_checks/spark/config_models/instance.py
squid/datadog_checks/squid/config_models/instance.py
ssh_check/datadog_checks/ssh_check/config_models/instance.py
strimzi/datadog_checks/strimzi/config_models/instance.py
supabase/datadog_checks/supabase/config_models/instance.py
teamcity/datadog_checks/teamcity/config_models/instance.py
tekton/datadog_checks/tekton/config_models/instance.py
teleport/datadog_checks/teleport/config_models/instance.py
temporal/datadog_checks/temporal/config_models/instance.py
tibco_ems/datadog_checks/tibco_ems/config_models/instance.py
tibco_ems/datadog_checks/tibco_ems/config_models/shared.py
tls/datadog_checks/tls/config_models/instance.py
tomcat/datadog_checks/tomcat/config_models/instance.py
torchserve/datadog_checks/torchserve/config_models/instance.py
traefik_mesh/datadog_checks/traefik_mesh/config_models/instance.py
traffic_server/datadog_checks/traffic_server/config_models/instance.py
twistlock/datadog_checks/twistlock/config_models/instance.py
varnish/datadog_checks/varnish/config_models/instance.py
vault/datadog_checks/vault/config_models/instance.py
velero/datadog_checks/velero/config_models/instance.py
vertica/datadog_checks/vertica/config_models/instance.py
vllm/datadog_checks/vllm/config_models/instance.py
voltdb/datadog_checks/voltdb/config_models/instance.py
weaviate/datadog_checks/weaviate/config_models/instance.py
weblogic/datadog_checks/weblogic/config_models/instance.py
yarn/datadog_checks/yarn/config_models/instance.py
zk/datadog_checks/zk/config_models/instance.py
active_directory/pyproject.toml
activemq/pyproject.toml
activemq_xml/pyproject.toml
aerospike/pyproject.toml
airflow/pyproject.toml
amazon_msk/pyproject.toml
ambari/pyproject.toml
apache/pyproject.toml
appgate_sdp/pyproject.toml
arangodb/pyproject.toml
arctic_wolf_aurora_endpoint_security/pyproject.toml
argo_rollouts/pyproject.toml
argo_workflows/pyproject.toml
argocd/pyproject.toml
aspdotnet/pyproject.toml
avi_vantage/pyproject.toml
aws_neuron/pyproject.toml
azure_iot_edge/pyproject.toml
barracuda_secure_edge/pyproject.toml
bentoml/pyproject.toml
beyondtrust_password_safe/pyproject.toml
beyondtrust_privileged_remote_access/pyproject.toml
boundary/pyproject.toml
btrfs/pyproject.toml
cacti/pyproject.toml
calico/pyproject.toml
cassandra/pyproject.toml
cassandra_nodetool/pyproject.toml
celery/pyproject.toml
ceph/pyproject.toml
cert_manager/pyproject.toml
checkpoint_harmony_endpoint/pyproject.toml
checkpoint_quantum_firewall/pyproject.toml
cilium/pyproject.toml
cisco_aci/pyproject.toml
cisco_asa/pyproject.toml
cisco_secure_client/pyproject.toml
cisco_secure_firewall/pyproject.toml
cisco_secure_web_appliance/pyproject.toml
citrix_hypervisor/pyproject.toml
clickhouse/pyproject.toml
cloud_foundry_api/pyproject.toml
cloudera/pyproject.toml
cloudgen_firewall/pyproject.toml
cockroachdb/pyproject.toml
confluent_platform/pyproject.toml
consul/pyproject.toml
control_m/pyproject.toml
coredns/pyproject.toml
couch/pyproject.toml
couchbase/pyproject.toml
crio/pyproject.toml
datadog_checks_dependency_provider/pyproject.toml
datadog_cluster_agent/pyproject.toml
datadog_csi_driver/pyproject.toml
dcgm/pyproject.toml
delinea_privilege_manager/pyproject.toml
delinea_secret_server/pyproject.toml
directory/pyproject.toml
disk/pyproject.toml
dns_check/pyproject.toml
do_query_actions/pyproject.toml
dotnetclr/pyproject.toml
druid/pyproject.toml
duckdb/pyproject.toml
ecs_fargate/pyproject.toml
eks_fargate/pyproject.toml
elastic/pyproject.toml
envoy/pyproject.toml
eset_protect/pyproject.toml
esxi/pyproject.toml
etcd/pyproject.toml
exchange_server/pyproject.toml
external_dns/pyproject.toml
falco/pyproject.toml
flink/pyproject.toml
fluentd/pyproject.toml
fluxcd/pyproject.toml
fly_io/pyproject.toml
forescout/pyproject.toml
foundationdb/pyproject.toml
gearmand/pyproject.toml
gitlab/pyproject.toml
gitlab_runner/pyproject.toml
glusterfs/pyproject.toml
go_expvar/pyproject.toml
guarddog/pyproject.toml
gunicorn/pyproject.toml
haproxy/pyproject.toml
harbor/pyproject.toml
hazelcast/pyproject.toml
hdfs_datanode/pyproject.toml
hdfs_namenode/pyproject.toml
hive/pyproject.toml
hivemq/pyproject.toml
http_check/pyproject.toml
hudi/pyproject.toml
hugging_face_tgi/pyproject.toml
hyperv/pyproject.toml
ibm_ace/pyproject.toml
ibm_db2/pyproject.toml
ibm_i/pyproject.toml
ibm_mq/pyproject.toml
ibm_spectrum_lsf/pyproject.toml
ibm_was/pyproject.toml
iboss/pyproject.toml
ignite/pyproject.toml
iis/pyproject.toml
impala/pyproject.toml
infiniband/pyproject.toml
istio/pyproject.toml
ivanti_connect_secure/pyproject.toml
jboss_wildfly/pyproject.toml
journald/pyproject.toml
juniper_srx_firewall/pyproject.toml
kafka/pyproject.toml
kafka_actions/pyproject.toml
kafka_consumer/pyproject.toml
karpenter/pyproject.toml
keda/pyproject.toml
keycloak/pyproject.toml
kong/pyproject.toml
krakend/pyproject.toml
kube_apiserver_metrics/pyproject.toml
kube_controller_manager/pyproject.toml
kube_dns/pyproject.toml
kube_metrics_server/pyproject.toml
kube_proxy/pyproject.toml
kube_scheduler/pyproject.toml
kubeflow/pyproject.toml
kubelet/pyproject.toml
kubernetes_cluster_autoscaler/pyproject.toml
kubernetes_state/pyproject.toml
kubevirt_api/pyproject.toml
kubevirt_controller/pyproject.toml
kubevirt_handler/pyproject.toml
kuma/pyproject.toml
kyototycoon/pyproject.toml
kyverno/pyproject.toml
lighttpd/pyproject.toml
linkerd/pyproject.toml
linux_audit_logs/pyproject.toml
linux_proc_extras/pyproject.toml
litellm/pyproject.toml
lustre/pyproject.toml
mac_audit_logs/pyproject.toml
mapr/pyproject.toml
mapreduce/pyproject.toml
marathon/pyproject.toml
marklogic/pyproject.toml
mcache/pyproject.toml
mesos_master/pyproject.toml
mesos_slave/pyproject.toml
microsoft_dns/pyproject.toml
microsoft_sysmon/pyproject.toml
milvus/pyproject.toml
mongo/pyproject.toml
mysql/pyproject.toml
n8n/pyproject.toml
nagios/pyproject.toml
network/pyproject.toml
nfsstat/pyproject.toml
nginx/pyproject.toml
nginx_ingress_controller/pyproject.toml
nutanix/pyproject.toml
nvidia_nim/pyproject.toml
nvidia_triton/pyproject.toml
octopus_deploy/pyproject.toml
openldap/pyproject.toml
openmetrics/pyproject.toml
openstack/pyproject.toml
openstack_controller/pyproject.toml
openvpn/pyproject.toml
ossec_security/pyproject.toml
palo_alto_panorama/pyproject.toml
pan_firewall/pyproject.toml
pdh_check/pyproject.toml
pgbouncer/pyproject.toml
php_fpm/pyproject.toml
ping_federate/pyproject.toml
postfix/pyproject.toml
postgres/pyproject.toml
powerdns_recursor/pyproject.toml
prefect/pyproject.toml
presto/pyproject.toml
process/pyproject.toml
prometheus/pyproject.toml
proxmox/pyproject.toml
proxysql/pyproject.toml
pulsar/pyproject.toml
quarkus/pyproject.toml
rabbitmq/pyproject.toml
ray/pyproject.toml
redisdb/pyproject.toml
rethinkdb/pyproject.toml
riak/pyproject.toml
riakcs/pyproject.toml
sap_hana/pyproject.toml
scylla/pyproject.toml
sidekiq/pyproject.toml
silk/pyproject.toml
silverstripe_cms/pyproject.toml
singlestore/pyproject.toml
slurm/pyproject.toml
snmp/pyproject.toml
snowflake/pyproject.toml
solr/pyproject.toml
sonarqube/pyproject.toml
sonatype_nexus/pyproject.toml
sonicwall_firewall/pyproject.toml
spark/pyproject.toml
sqlserver/pyproject.toml
squid/pyproject.toml
ssh_check/pyproject.toml
statsd/pyproject.toml
strimzi/pyproject.toml
supabase/pyproject.toml
supervisord/pyproject.toml
suricata/pyproject.toml
symantec_endpoint_protection/pyproject.toml
system_core/pyproject.toml
system_swap/pyproject.toml
tcp_check/pyproject.toml
teamcity/pyproject.toml
tekton/pyproject.toml
teleport/pyproject.toml
temporal/pyproject.toml
tenable/pyproject.toml
teradata/pyproject.toml
tibco_ems/pyproject.toml
tls/pyproject.toml
tokumx/pyproject.toml
tomcat/pyproject.toml
torchserve/pyproject.toml
traefik_mesh/pyproject.toml
traffic_server/pyproject.toml
twemproxy/pyproject.toml
twistlock/pyproject.toml
varnish/pyproject.toml
vault/pyproject.toml
velero/pyproject.toml
vertica/pyproject.toml
vllm/pyproject.toml
voltdb/pyproject.toml
vsphere/pyproject.toml
watchguard_firebox/pyproject.toml
wazuh/pyproject.toml
weaviate/pyproject.toml
weblogic/pyproject.toml
win32_event_log/pyproject.toml
windows_performance_counters/pyproject.toml
windows_service/pyproject.toml
wmi_check/pyproject.toml
yarn/pyproject.toml
zeek/pyproject.toml
zk/pyproject.toml
zscaler_private_access/pyproject.toml

@NouemanKHAL NouemanKHAL added the qa/skip-qa Automatically skip this PR for the next QA label Mar 31, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 31, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 44.00000% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.38%. Comparing base (eb0af3b) to head (35b467f).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@NouemanKHAL @claude
Generate SECURE_FIELD_NAMES and security validation in config models …
541e5a0 
…from require_trusted_provider spec fields

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
NouemanKHAL and others added 2 commits March 31, 2026 15:46
@NouemanKHAL @claude
Apply original require_trusted_provider implementation from pre-rever…
a3d6fa1 
…t state

Use module-level SECURE_FIELD_NAMES constant and field-level _validate security
check (mode='before'), with require_trusted_providers tracked in ModelInfo.
Also restore spec.py validator, template yaml annotations, and changelog.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@NouemanKHAL
update changelog
e57ea85
@NouemanKHAL NouemanKHAL changed the title Allow require_trusted_provider as a valid field in spec.yaml Add support for security validation in ddev models Mar 31, 2026
@NouemanKHAL NouemanKHAL requested review from a team as code owners March 31, 2026 14:15
@NouemanKHAL
Copy link
Copy Markdown
Member Author

NouemanKHAL commented Mar 31, 2026

⚠️ The changelog and labeler jobs are failing because we exceeded the limits (100 labels), and 300 files changes.

eric-weaver
eric-weaver approved these changes Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eric-weaver eric-weaver left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm for DBM. Chatted offline and we'll follow up with expanding Mysql ssl config block separately

lli-datadog
lli-datadog reviewed Apr 1, 2026
View reviewed changes
Comment thread snowflake/datadog_checks/snowflake/config_models/instance.py
@@ -20,6 +20,9 @@
from . import defaults, validators


SECURE_FIELD_NAMES = frozenset(['ocsp_response_cache_filename', 'private_key_path', 'token_path'])
Copy link
Copy Markdown
Contributor

@lli-datadog lli-datadog Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how do we test this? and where are these fields from?

Copy link
Copy Markdown
Member Author

@NouemanKHAL NouemanKHAL Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The fields are from the spec.yaml, for instance:

integrations-core/snowflake/assets/configuration/spec.yaml

Line 108 in 35b467f

- name: ocsp_response_cache_filename

Copy link
Copy Markdown
Member Author

@NouemanKHAL NouemanKHAL Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security validation behavior is tested globally in the datadog_checks_base class: https://github.com/DataDog/integrations-core/blob/master/datadog_checks_base/datadog_checks/base/utils/models/validation/security.py

And tested E2E manually, you can find a report here: https://datadoghq.atlassian.net/wiki/spaces/~550367931/pages/6428329336/DEMO+Remediate+untrusted+checks+configs+in+Integrations

@dd-octo-sts dd-octo-sts Bot mentioned this pull request Apr 1, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lli-datadog lli-datadog lli-datadog left review comments

@bitomaxsp bitomaxsp bitomaxsp approved these changes

@tpoll tpoll tpoll approved these changes

@mobuchowski mobuchowski mobuchowski approved these changes

@eric-weaver eric-weaver eric-weaver approved these changes

@piochelepiotr piochelepiotr piochelepiotr approved these changes

@garrison-stauffer garrison-stauffer garrison-stauffer approved these changes

@drichards-87 drichards-87 drichards-87 approved these changes

@TCheruy TCheruy TCheruy approved these changes

@gabedos gabedos gabedos approved these changes

@dkirov-dd dkirov-dd dkirov-dd approved these changes

@alpatriciodd alpatriciodd Awaiting requested review from alpatriciodd alpatriciodd is a code owner automatically assigned from DataDog/network-device-monitoring-core

@apiazza-dd apiazza-dd Awaiting requested review from apiazza-dd

Assignees

No one assigned

Labels

backport/7.78.x base_package dev_package dev/tooling documentation integration/activemq_xml integration/activemq integration/aerospike integration/airflow integration/amazon_msk integration/ambari integration/apache integration/appgate_sdp integration/arangodb integration/argo_rollouts integration/argo_workflows integration/argocd integration/avi_vantage integration/aws_neuron integration/azure_iot_edge integration/bentoml integration/boundary integration/cacti integration/calico integration/cassandra_nodetool integration/cassandra integration/celery integration/ceph integration/cert_manager integration/cilium integration/cisco_aci integration/citrix_hypervisor integration/clickhouse integration/cloud_foundry_api integration/cloudera integration/cockroachdb integration/confluent_platform integration/consul integration/control_m integration/coredns integration/couch integration/couchbase integration/crio integration/datadog_cluster_agent integration/datadog_csi_driver integration/dcgm  integration/disk integration/druid integration/ecs_fargate integration/eks_fargate integration/elastic integration/envoy integration/etcd integration/external_dns integration/falco integration/fluentd integration/fluxcd integration/fly_io integration/foundationdb integration/gitlab_runner integration/gitlab integration/go_expvar integration/guarddog integration/gunicorn integration/haproxy integration/harbor integration/hazelcast integration/hdfs_datanode integration/hdfs_namenode integration/hive integration/hivemq integration/http_check integration/hudi integration/hugging_face_tgi integration/ibm_was integration/ignite integration/impala integration/infiniband integration/istio integration/jboss_wildfly integration/kafka_actions integration/kafka_consumer integration/kafka integration/karpenter integration/keda integration/kong integration/krakend integration/kube_apiserver_metrics integration/kube_controller_manager integration/kube_dns integration/kube_metrics_server integration/kube_proxy integration/kube_scheduler integration/kubeflow integration/kubelet integration/kubernetes_cluster_autoscaler integration/kubernetes_state integration/kubevirt_api integration/kubevirt_controller team/agent-integrations

Projects

None yet

Milestone

7.78

Development

Successfully merging this pull request may close these issues.