[SDS-1788] support additional SDS Secondary Validators

[isabella-garza-datadog]

What problem are you trying to solve?

Currently in convert_to_sds_ruleconfig, the only validator that is getting applied from the SDS configurations is JwtExpirationChecker. However, the current version of the sds library supports more validators for Secrets (i.e GithubTokenChecksum).

What is your solution?

This PR updates the convert_to_sds_ruleconfig function to configure all validators that are supported in the sds library version.

Alternatives considered

What the reviewer should know

Validation

• Validated that before the change a Github Access Token with an invalid checksum gets matched

Configuration
=============
version                 : 0.7.0
revision                : development
config method           : remote configuration
cores available         : 16
cores used              : 8
#static analysis rules  : 0
#secrets rules loaded   : 51
source directory        : /Users/isabella.garza/go/src/github.com/DataDog/datadog-static-analyzer
subdirectories          : 
output file             : result.json
static analysis enabled:  false
secrets enabled         : true
output format           : sarif
ignore paths            : debug/,target/,**/*.rs.bk,*.pdb,*~,crates/static-analysis-kernel/.vendor/,.idea,venv,**/node_modules/**/*,**/jspm_packages/**/*,**/.next/**/*,**/.vuepress/**/*,**/venv/**/*,**/__pycache__/**/*,**/_vendor/bundle/ruby/**/*,**/.vendor/bundle/ruby/**/*,**/.bundle/**/*,**/.gradle/**/*,**/TemporaryGeneratedFile_.*.cs,**/*.designer.cs,**/*.generated.cs,**/*.g.cs,**/*.g.i.cs
only paths              : all paths
ignore gitignore        : false
use debug               : true
use staging             : false
ignore gen files        : true
rules languages         : 
max file size           : 200 kb
diff aware data: None
File /Users/isabella.garza/go/src/github.com/DataDog/datadog-static-analyzer/misc/imgs/jetbrains.gif too big (size 263449 bytes, max size 200 kb (204800 bytes))
File /Users/isabella.garza/go/src/github.com/DataDog/datadog-static-analyzer/misc/imgs/vscode.gif too big (size 347839 bytes, max size 200 kb (204800 bytes))
Found 19 secret(s) (including 0 valid) in 4 file(s) using 10 rule(s) within 1 sec(s)

• Validated that after the change a Github Access Token with an invalid checksum does not get matched

Configuration
=============
version                 : 0.7.0
revision                : development
config method           : remote configuration
cores available         : 16
cores used              : 8
#static analysis rules  : 0
#secrets rules loaded   : 51
source directory        : /Users/isabella.garza/go/src/github.com/DataDog/datadog-static-analyzer
subdirectories          : 
output file             : result.json
static analysis enabled:  false
secrets enabled         : true
output format           : sarif
ignore paths            : debug/,target/,**/*.rs.bk,*.pdb,*~,crates/static-analysis-kernel/.vendor/,.idea,venv,**/node_modules/**/*,**/jspm_packages/**/*,**/.next/**/*,**/.vuepress/**/*,**/venv/**/*,**/__pycache__/**/*,**/_vendor/bundle/ruby/**/*,**/.vendor/bundle/ruby/**/*,**/.bundle/**/*,**/.gradle/**/*,**/TemporaryGeneratedFile_.*.cs,**/*.designer.cs,**/*.generated.cs,**/*.g.cs,**/*.g.i.cs
only paths              : all paths
ignore gitignore        : false
use debug               : true
use staging             : false
ignore gen files        : true
rules languages         : 
max file size           : 200 kb
diff aware data: None
File /Users/isabella.garza/go/src/github.com/DataDog/datadog-static-analyzer/misc/imgs/jetbrains.gif too big (size 263449 bytes, max size 200 kb (204800 bytes))
File /Users/isabella.garza/go/src/github.com/DataDog/datadog-static-analyzer/misc/imgs/vscode.gif too big (size 347839 bytes, max size 200 kb (204800 bytes))
Found 18 secret(s) (including 0 valid) in 3 file(s) using 9 rule(s) within 1 sec(s)

[jamesphlewis]

tentative approval, let's test from staging (with the new API response) and production (with the old API response) first before merging to ensure we don't break backwards compat.

[isabella-garza-datadog]

Testing Summary

To verify the new V2 version of the Secret Rule Validator API field (https://github.com/DataDog/dd-source/pull/304183) and ensure backward compatibility with the datadog-static-analyzer service, I performed the following tests after deploying the API changes to staging. I was scanning the datadog-static-analyzer repository during these tests.

• Staging API + datadog-static-analyzer (main) → Detected 3 secrets (expected)
• Staging API + datadog-static-analyzer (feature branch) → Detected 2 secrets (expected)
• Prod API + datadog-static-analyzer (main) → Detected 3 secrets (expected)
• Prod API + datadog-static-analyzer (feature branch) → Detected 2 secrets (expected)

In these tests, I added a new test secret that matches with the main branch of datadog-static-analyzer but not with the feature branch due to an invalid checksum. The observed results confirm that the changes are working as expected and maintain backward compatibility.

[isabella-garza-datadog]

/merge

[dd-devflow-routing-codex]

View all feedbacks in Devflow UI.

2025-11-11 18:31:22 UTC ℹ️ Start processing command /merge

---

2025-11-11 18:31:27 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 19m (p90).

---

2025-11-11 18:52:56 UTC ❌ MergeQueue: The checks failed on this merge request

Tests failed on this commit 616ea2c:

• macOS x64 - Build - Profile 'debug'
• macOS x64 - Test

What to do next?

• Investigate the failures and when ready, re-add your pull request to the queue!
• If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
• Any question, go check the FAQ.

[isabella-garza-datadog]

/merge

[dd-devflow-routing-codex]

View all feedbacks in Devflow UI.

2025-11-11 21:58:05 UTC ℹ️ Start processing command /merge

---

2025-11-11 21:58:08 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 33m (p90).

---

2025-11-11 22:16:34 UTC ❌ MergeQueue: The checks failed on this merge request

Tests failed on this commit fca2709:

• check_regressions (muh-nee, DSVW)

What to do next?

• Investigate the failures and when ready, re-add your pull request to the queue!
• If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
• Any question, go check the FAQ.

[isabella-garza-datadog]

/merge

[dd-devflow-routing-codex]

View all feedbacks in Devflow UI.

2025-11-12 13:54:30 UTC ℹ️ Start processing command /merge

---

2025-11-12 13:54:34 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 33m (p90).

---

2025-11-12 14:14:11 UTC ❌ MergeQueue: The checks failed on this merge request

Tests failed on this commit b57c996:

• check_regressions (numpy, numpy)

What to do next?

• Investigate the failures and when ready, re-add your pull request to the queue!
• If your PR checks are green, try to rebase/merge. It might be because the CI run is a bit old.
• Any question, go check the FAQ.

[isabella-garza-datadog]

/merge

[dd-devflow-routing-codex]

View all feedbacks in Devflow UI.

2025-11-12 16:16:18 UTC ℹ️ Start processing command /merge

---

2025-11-12 16:16:23 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in main is approximately 33m (p90).

---

2025-11-12 16:33:58 UTC ℹ️ MergeQueue: This merge request was merged