@google-cloud/dlp 6.0.1 → 6.2.0

package/CHANGELOG.md

@@ -4,6 +4,23 @@
 
 [1]: https://www.npmjs.com/package/PACKAGE NAME?activeTab=versions
 
+## [6.2.0](https://github.com/googleapis/google-cloud-node/compare/dlp-v6.1.0...dlp-v6.2.0) (2025-06-03)
+
+
+### Features
+
+* [dlp] add Dataplex Catalog action for discovery configs ([#6381](https://github.com/googleapis/google-cloud-node/issues/6381)) ([0a4221e](https://github.com/googleapis/google-cloud-node/commit/0a4221eb6787f427f82b835b6bd27c7fd5363b41))
+* Add a project ID to table reference so that org parents can create single table discovery configs. ([0a4221e](https://github.com/googleapis/google-cloud-node/commit/0a4221eb6787f427f82b835b6bd27c7fd5363b41))
+* New fields for data profile finding. ([0a4221e](https://github.com/googleapis/google-cloud-node/commit/0a4221eb6787f427f82b835b6bd27c7fd5363b41))
+
+## [6.1.0](https://github.com/googleapis/google-cloud-node/compare/dlp-v6.0.1...dlp-v6.1.0) (2025-03-21)
+
+
+### Features
+
+* [dlp] add sample findings for data profiles ([#6192](https://github.com/googleapis/google-cloud-node/issues/6192)) ([3f39c49](https://github.com/googleapis/google-cloud-node/commit/3f39c49a0bd9cc9ee7544ae0dba60bf7d5c69805))
+* List tags on resources for data profiles ([3f39c49](https://github.com/googleapis/google-cloud-node/commit/3f39c49a0bd9cc9ee7544ae0dba60bf7d5c69805))
+
 ## [6.0.1](https://github.com/googleapis/google-cloud-node/compare/dlp-v6.0.0...dlp-v6.0.1) (2025-03-19)
 
 

package/README.md

@@ -44,7 +44,7 @@ Google APIs Client Libraries, in [Client Libraries Explained][explained].
 1.  [Select or create a Cloud Platform project][projects].
 1.  [Enable billing for your project][billing].
 1.  [Enable the Cloud Data Loss Prevention API][enable_api].
-1.  [Set up authentication with a service account][auth] so you can access the
+1.  [Set up authentication][auth] so you can access the
     API from your local workstation.
 
 ### Installing the client library
@@ -250,4 +250,4 @@ See [LICENSE](https://github.com/googleapis/google-cloud-node/blob/main/LICENSE)
 [projects]: https://console.cloud.google.com/project
 [billing]: https://support.google.com/cloud/answer/6293499#enable-billing
 [enable_api]: https://console.cloud.google.com/flows/enableapi?apiid=dlp.googleapis.com
-[auth]: https://cloud.google.com/docs/authentication/getting-started
+[auth]: https://cloud.google.com/docs/authentication/external/set-up-adc-local

package/build/protos/google/privacy/dlp/v2/dlp.proto

@@ -88,6 +88,9 @@ service DlpService {
   // When no InfoTypes or CustomInfoTypes are specified in this request, the
   // system will automatically choose what detectors to run. By default this may
   // be all types, but may change over time as detectors are updated.
+  //
+  // Only the first frame of each multiframe image is redacted. Metadata and
+  // other frames are omitted in the response.
   rpc RedactImage(RedactImageRequest) returns (RedactImageResponse) {
     option (google.api.http) = {
       post: "/v2/{parent=projects/*}/image:redact"
@@ -144,6 +147,12 @@ service DlpService {
     option (google.api.http) = {
       get: "/v2/infoTypes"
       additional_bindings { get: "/v2/{parent=locations/*}/infoTypes" }
+      additional_bindings {
+        get: "/v2/{parent=projects/*/locations/*}/infoTypes"
+      }
+      additional_bindings {
+        get: "/v2/{parent=organizations/*/locations/*}/infoTypes"
+      }
     };
     option (google.api.method_signature) = "parent";
   }
@@ -1183,6 +1192,9 @@ message ByteContentItem {
   // The type of data being sent for inspection. To learn more, see
   // [Supported file
   // types](https://cloud.google.com/sensitive-data-protection/docs/supported-file-types).
+  //
+  // Only the first frame of each multiframe image is inspected. Metadata and
+  // other frames aren't inspected.
   enum BytesType {
     // Unused
     BYTES_TYPE_UNSPECIFIED = 0;
@@ -2038,6 +2050,13 @@ message InfoTypeDescription {
 
   // The default sensitivity of the infoType.
   SensitivityScore sensitivity_score = 11;
+
+  // If this field is set, this infoType is a general infoType and these
+  // specific infoTypes are contained within it.
+  // General infoTypes are infoTypes that encompass multiple specific infoTypes.
+  // For example, the "GEOGRAPHIC_DATA" general infoType would have set for this
+  // field "LOCATION", "LOCATION_COORDINATES", and "STREET_ADDRESS".
+  repeated string specific_info_types = 12;
 }
 
 // Classification of infoTypes to organize them according to geographic
@@ -2089,6 +2108,9 @@ message InfoTypeCategory {
     // The infoType is typically used in Croatia.
     CROATIA = 42;
 
+    // The infoType is typically used in Czechia.
+    CZECHIA = 52;
+
     // The infoType is typically used in Denmark.
     DENMARK = 10;
 
@@ -4177,32 +4199,78 @@ message Action {
   // Compatible with: Inspect
   message PublishFindingsToCloudDataCatalog {}
 
-  // Create a de-identified copy of the requested table or files.
+  // Create a de-identified copy of a storage bucket. Only compatible
+  // with Cloud Storage buckets.
+  //
   //
   // A TransformationDetail will be created for each transformation.
   //
-  // If any rows in BigQuery are skipped during de-identification
-  // (transformation errors or row size exceeds BigQuery insert API limits) they
-  // are placed in the failure output table. If the original row exceeds
-  // the BigQuery insert API limit it will be truncated when written to the
-  // failure output table. The failure output table can be set in the
-  // action.deidentify.output.big_query_output.deidentified_failure_output_table
-  // field, if no table is set, a table will be automatically created in the
-  // same project and dataset as the original table.
   //
-  // Compatible with: Inspect
+  // Compatible with: Inspection of Cloud Storage
   message Deidentify {
     // User specified deidentify templates and configs for structured,
     // unstructured, and image files.
     TransformationConfig transformation_config = 7;
 
-    // Config for storing transformation details. This is separate from the
-    // de-identified content, and contains metadata about the successful
-    // transformations and/or failures that occurred while de-identifying. This
-    // needs to be set in order for users to access information about the status
-    // of each transformation (see
+    // Config for storing transformation details.
+    //
+    // This field specifies the configuration for storing detailed metadata
+    // about each transformation performed during a de-identification process.
+    // The metadata is stored separately from the de-identified content itself
+    // and provides a granular record of both successful transformations and any
+    // failures that occurred.
+    //
+    // Enabling this configuration is essential for users who need to access
+    // comprehensive information about the status, outcome, and specifics of
+    // each transformation. The details are captured in the
     // [TransformationDetails][google.privacy.dlp.v2.TransformationDetails]
-    // message for more information about what is noted).
+    // message for each operation.
+    //
+    // Key use cases:
+    //
+    // * **Auditing and compliance**
+    //     * Provides a verifiable audit trail of de-identification activities,
+    //     which is crucial for meeting regulatory requirements and internal
+    //     data governance policies.
+    //     * Logs what data was transformed, what transformations were applied,
+    //     when they occurred, and their success status. This helps
+    //     demonstrate accountability and due diligence in protecting
+    //     sensitive data.
+    //
+    // * **Troubleshooting and debugging**
+    //     * Offers detailed error messages and context if a transformation
+    //     fails. This information is useful for diagnosing and resolving
+    //     issues in the de-identification pipeline.
+    //     * Helps pinpoint the exact location and nature of failures, speeding
+    //     up the debugging process.
+    //
+    // * **Process verification and quality assurance**
+    //     * Allows users to confirm that de-identification rules and
+    //     transformations were applied correctly and consistently across
+    //     the dataset as intended.
+    //     * Helps in verifying the effectiveness of the chosen
+    //     de-identification strategies.
+    //
+    // * **Data lineage and impact analysis**
+    //     * Creates a record of how data elements were modified, contributing
+    //     to data lineage. This is useful for understanding the provenance
+    //     of de-identified data.
+    //     * Aids in assessing the potential impact of de-identification choices
+    //     on downstream analytical processes or data usability.
+    //
+    // * **Reporting and operational insights**
+    //     * You can analyze the metadata stored in a queryable BigQuery table
+    //     to generate reports on transformation success rates, common
+    //     error types, processing volumes (e.g., transformedBytes), and the
+    //     types of transformations applied.
+    //     * These insights can inform optimization of de-identification
+    //     configurations and resource planning.
+    //
+    // To take advantage of these benefits, set this configuration. The stored
+    // details include a description of the transformation, success or
+    // error codes, error messages, the number of bytes transformed, the
+    // location of the transformed content, and identifiers for the job and
+    // source data.
     TransformationDetailsStorageConfig transformation_details_storage_config =
         3;
 
@@ -4861,6 +4929,15 @@ message DataProfileAction {
     //    If you use VPC Service Controls to define security perimeters, then
     //    you must use a separate table for each boundary.
     BigQueryTable profile_table = 1;
+
+    // Store sample [data profile
+    // findings][google.privacy.dlp.v2.DataProfileFinding] in an existing table
+    // or a new table in an existing dataset. Each regeneration will result in
+    // new rows in BigQuery. Data is inserted using [streaming
+    // insert](https://cloud.google.com/blog/products/bigquery/life-of-a-bigquery-streaming-insert)
+    // and so data may be in the buffer for a period of time after the profile
+    // has finished.
+    BigQueryTable sample_findings_table = 2;
   }
 
   // Send a Pub/Sub message into the given Pub/Sub topic to connect other
@@ -4927,6 +5004,18 @@ message DataProfileAction {
   // Center for each profile.
   message PublishToSecurityCommandCenter {}
 
+  // Create Dataplex Catalog aspects for profiled resources with the aspect type
+  // Sensitive Data Protection Profile. To learn more about aspects, see
+  // https://cloud.google.com/sensitive-data-protection/docs/add-aspects.
+  message PublishToDataplexCatalog {
+    // Whether creating a Dataplex Catalog aspect for a profiled resource should
+    // lower the risk of the profile for that resource. This also lowers the
+    // data risk of resources at the lower levels of the resource hierarchy. For
+    // example, reducing the data risk of a table data profile also reduces the
+    // data risk of the constituent column data profiles.
+    bool lower_data_risk_to_low = 1;
+  }
+
   // If set, attaches the [tags]
   // (https://cloud.google.com/resource-manager/docs/tags/tags-overview)
   // provided to profiled resources. Tags support [access
@@ -5000,9 +5089,80 @@ message DataProfileAction {
 
     // Tags the profiled resources with the specified tag values.
     TagResources tag_resources = 8;
+
+    // Publishes a portion of each profile to Dataplex Catalog with the aspect
+    // type Sensitive Data Protection Profile.
+    PublishToDataplexCatalog publish_to_dataplex_catalog = 9;
   }
 }
 
+// Details about a piece of potentially sensitive information that was detected
+// when the data resource was profiled.
+message DataProfileFinding {
+  // The content that was found. Even if the content is not textual, it
+  // may be converted to a textual representation here. If the finding exceeds
+  // 4096 bytes in length, the quote may be omitted.
+  string quote = 1;
+
+  // The [type of
+  // content](https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference)
+  // that might have been found.
+  InfoType infotype = 2;
+
+  // Contains data parsed from quotes. Currently supported infoTypes: DATE,
+  // DATE_OF_BIRTH, and TIME.
+  QuoteInfo quote_info = 3;
+
+  // Resource name of the data profile associated with the finding.
+  string data_profile_resource_name = 4;
+
+  // A unique identifier for the finding.
+  string finding_id = 5;
+
+  // Timestamp when the finding was detected.
+  google.protobuf.Timestamp timestamp = 6;
+
+  // Where the content was found.
+  DataProfileFindingLocation location = 7;
+
+  // How broadly a resource has been shared.
+  ResourceVisibility resource_visibility = 8;
+
+  // The [full resource
+  // name](https://cloud.google.com/apis/design/resource_names#full_resource_name)
+  // of the resource profiled for this finding.
+  string full_resource_name = 9;
+
+  // The type of the resource that was profiled.
+  DataSourceType data_source_type = 10;
+}
+
+// Location of a data profile finding within a resource.
+message DataProfileFindingLocation {
+  // Name of the container where the finding is located.
+  // The top-level name is the source file name or table name. Names of some
+  // common storage containers are formatted as follows:
+  //
+  // * BigQuery tables:  `{project_id}:{dataset_id}.{table_id}`
+  // * Cloud Storage files: `gs://{bucket}/{path}`
+  string container_name = 1;
+
+  // Additional location details that may be provided for some types of
+  // profiles. At this time, only findings for table data profiles include such
+  // details.
+  oneof location_extra_details {
+    // Location of a finding within a resource that produces a table data
+    // profile.
+    DataProfileFindingRecordLocation data_profile_finding_record_location = 2;
+  }
+}
+
+// Location of a finding within a resource that produces a table data profile.
+message DataProfileFindingRecordLocation {
+  // Field ID of the column containing the finding.
+  FieldId field = 1;
+}
+
 // Configuration for setting up a job to scan resources for profile generation.
 // Only one data profile configuration may exist per organization, folder,
 // or project.
@@ -7520,6 +7680,14 @@ message TableDataProfile {
   // The time at which the table was created.
   google.protobuf.Timestamp create_time = 23;
 
+  // The BigQuery table to which the sample findings are written.
+  BigQueryTable sample_findings_table = 37;
+
+  // The tags attached to the table, including any tags attached during
+  // profiling. Because tags are attached to Cloud SQL instances rather than
+  // Cloud SQL tables, this field is empty for Cloud SQL table profiles.
+  repeated Tag tags = 39;
+
   // Resources related to this profile.
   repeated RelatedResource related_resources = 41;
 }
@@ -7888,13 +8056,38 @@ message FileStoreDataProfile {
   // InfoTypes detected in this file store.
   repeated FileStoreInfoTypeSummary file_store_info_type_summaries = 21;
 
-  // The file store does not have any files.
+  // The BigQuery table to which the sample findings are written.
+  BigQueryTable sample_findings_table = 22;
+
+  // The file store does not have any files. If the profiling operation failed,
+  // this is false.
   bool file_store_is_empty = 23;
 
+  // The tags attached to the resource, including any tags attached during
+  // profiling.
+  repeated Tag tags = 25;
+
   // Resources related to this profile.
   repeated RelatedResource related_resources = 26;
 }
 
+// A tag associated with a resource.
+message Tag {
+  // The namespaced name for the tag value to attach to Google Cloud resources.
+  // Must be in the format `{parent_id}/{tag_key_short_name}/{short_name}`, for
+  // example, "123456/environment/prod". This is only set for Google Cloud
+  // resources.
+  string namespaced_tag_value = 1;
+
+  // The key of a tag key-value pair. For Google Cloud resources, this is the
+  // resource name of the key, for example, "tagKeys/123456".
+  string key = 2;
+
+  // The value of a tag key-value pair. For Google Cloud resources, this is the
+  // resource name of the value, for example, "tagValues/123456".
+  string value = 3;
+}
+
 // A related resource.
 // Examples:
 //

package/build/protos/google/privacy/dlp/v2/storage.proto

@@ -869,6 +869,11 @@ message TableReference {
 
   // Name of the table.
   string table_id = 2;
+
+  // The Google Cloud project ID of the project containing the table.
+  // If omitted, the project ID is inferred from the parent project. This field
+  // is required if the parent resource is an organization.
+  string project_id = 3;
 }
 
 // Message defining a field of a BigQuery table.