Dynamic Instrumentation Sensitive Data Scrubbing
Overview
Datadog Dynamic Instrumentation enhances the observability and debugging capabilities of your applications by capturing variable data at arbitrary code locations in production environments. It also can craft and evaluate expressions in real-time, and integrate their outputs into log messages or add them as span tags.
While this functionality is powerful, it also presents the possibility of sensitive data leaks, both intentional and unintentional. Alongside the product’s robust data capture capabilities, it also provides comprehensive measures to safeguard sensitive information.
By understanding and properly configuring these redaction mechanisms, you can use Dynamic Instrumentation with confidence and security.
Redact based on identifiers
Default behavior
Dynamic Instrumentation automatically redacts values linked to specific identifiers deemed sensitive, such as password
and accessToken
. See the full list of redacted identifiers.
Custom identifier redaction
You can further tailor redaction by specifying additional identifiers. In your application’s environment (not on datadog-agent
), set the DD_DYNAMIC_INSTRUMENTATION_REDACTED_IDENTIFIERS
environment variable to a comma-separated list of identifiers such as firstName,lastName,phoneNumber
.
Redaction applies universally, regardless of how the identifier is used in the code (as method arguments, local variables, class attributes, dictionary keys, and so on). The associated values are redacted in your infrastructure and not uploaded to Datadog.
Redact based on specific classes or types
Certain classes may inherently contain sensitive information (for example, a UserCredentials
class). Again in your application’s environment (not on datadog-agent
), set the DD_DYNAMIC_INSTRUMENTATION_REDACTED_TYPES
environment variable to a comma-separated list of sensitive types, such as MyCompany.Authentication.UserCredential,MyCompany.BillingAddress
.
Class-based redaction:
- Redacts variables of the types listed. Their contents are not uploaded to Datadog.
- Stops probes from being set within any code location in the redacted classes.
Redact based on variable values with Sensitive Data Scanner
Sensitive Data Scanner identifies and redacts sensitive information based on specific regular expressions.
Initial setup
When you first access Dynamic Instrumentation Setup, you can optionally set up default Sensitive Data Scanner rules for Dynamic Instrumentation. These cover common regular expressions for likely sensitive data such as email addresses or JWT tokens.
Customizing Sensitive Data Scanner
You can disable the default rules or create other rules through the Sensitive Data Scanner. To create a new Sensitive Data Scanner rule for Dynamic Instrumentation, set it to filter on source:dd_debugger
.
Note: Datadog Sensitive Data Scanner performs its redaction after the information is uploaded to Datadog.
Further reading
Additional helpful documentation, links, and articles: