Dynamic Instrumentation Sensitive Data Scrubbing

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Overview

Datadog Dynamic Instrumentation enhances the observability and debugging capabilities of your applications by capturing variable data at arbitrary code locations in production environments. It also can craft and evaluate expressions in real-time, and integrate their outputs into log messages or add them as span tags.

While this functionality is powerful, it also presents the possibility of sensitive data leaks, both intentional and unintentional. Alongside the product’s robust data capture capabilities, it also provides comprehensive measures to safeguard sensitive information.

By understanding and properly configuring these redaction mechanisms, you can use Dynamic Instrumentation with confidence and security.

Redact based on identifiers

Default behavior

Dynamic Instrumentation automatically redacts values linked to specific identifiers deemed sensitive, such as password and accessToken. See the full list of redacted identifiers.

Custom identifier redaction

You can further tailor redaction by specifying additional identifiers. In your application’s environment (not on datadog-agent), set the DD_DYNAMIC_INSTRUMENTATION_REDACTED_IDENTIFIERS environment variable to a comma-separated list of identifiers such as firstName,lastName,phoneNumber.

Redaction applies universally, regardless of how the identifier is used in the code (as method arguments, local variables, class attributes, dictionary keys, and so on). The associated values are redacted in your infrastructure and not uploaded to Datadog.

Redact based on specific classes or types

Certain classes may inherently contain sensitive information (for example, a UserCredentials class). Again in your application’s environment (not on datadog-agent), set the DD_DYNAMIC_INSTRUMENTATION_REDACTED_TYPES environment variable to a comma-separated list of sensitive types, such as MyCompany.Authentication.UserCredential,MyCompany.BillingAddress.

Class-based redaction:

  • Redacts variables of the types listed. Their contents are not uploaded to Datadog.
  • Stops probes from being set within any code location in the redacted classes.

Redact based on variable values with Sensitive Data Scanner

Sensitive Data Scanner identifies and redacts sensitive information based on specific regular expressions.

Initial setup

When you first access Dynamic Instrumentation Setup, you can optionally set up default Sensitive Data Scanner rules for Dynamic Instrumentation. These cover common regular expressions for likely sensitive data such as email addresses or JWT tokens.

Customizing Sensitive Data Scanner

You can disable the default rules or create other rules through the Sensitive Data Scanner. To create a new Sensitive Data Scanner rule for Dynamic Instrumentation, set it to filter on source:dd_debugger.

Note: Datadog Sensitive Data Scanner performs its redaction after the information is uploaded to Datadog.

Further reading

PREVIEWING: rtrieu/product-analytics-ui-changes