dd-trace 4.17.0 → 4.18.0

package/index.d.ts

@@ -453,7 +453,15 @@ export declare interface TracerOptions {
        * Whether to enable vulnerability redaction
        * @default true
        */
-      redactionEnabled?: boolean
+      redactionEnabled?: boolean,
+      /**
+       * Specifies a regex that will redact sensitive source names in vulnerability reports.
+       */
+      redactionNamePattern?: string,
+      /**
+       * Specifies a regex that will redact sensitive source values in vulnerability reports.
+       */
+      redactionValuePattern?: string
     }
   };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dd-trace",
-  "version": "4.17.0",
+  "version": "4.18.0",
   "description": "Datadog APM tracing client for JavaScript",
   "main": "index.js",
   "typings": "index.d.ts",
@@ -69,10 +69,10 @@
   },
   "dependencies": {
     "@datadog/native-appsec": "^4.0.0",
-    "@datadog/native-iast-rewriter": "2.1.3",
-    "@datadog/native-iast-taint-tracking": "1.6.1",
+    "@datadog/native-iast-rewriter": "2.2.1",
+    "@datadog/native-iast-taint-tracking": "1.6.3",
     "@datadog/native-metrics": "^2.0.0",
-    "@datadog/pprof": "4.0.0",
+    "@datadog/pprof": "4.0.1",
     "@datadog/sketches-js": "^2.1.0",
     "@opentelemetry/api": "^1.0.0",
     "@opentelemetry/core": "^1.14.0",

package/packages/datadog-instrumentations/src/cucumber.js

@@ -296,6 +296,11 @@ addHook({
       const filteredPickles = getFilteredPickles(this, skippableSuites)
       const { picklesToRun } = filteredPickles
       isSuitesSkipped = picklesToRun.length !== this.pickleIds.length
+
+      log.debug(
+        () => `${picklesToRun.length} out of ${this.pickleIds.length} suites are going to run.`
+      )
+
       this.pickleIds = picklesToRun
 
       skippedSuites = Array.from(filteredPickles.skippedSuites)

package/packages/datadog-instrumentations/src/jest.js

@@ -208,6 +208,11 @@ addHook({
     const rootDir = test && test.context && test.context.config && test.context.config.rootDir
 
     const jestSuitesToRun = getJestSuitesToRun(skippableSuites, shardedTests, rootDir || process.cwd())
+
+    log.debug(
+      () => `${jestSuitesToRun.suitesToRun.length} out of ${shardedTests.length} suites are going to run.`
+    )
+
     hasUnskippableSuites = jestSuitesToRun.hasUnskippableSuites
     hasForcedToRunSuites = jestSuitesToRun.hasForcedToRunSuites
 
@@ -272,7 +277,16 @@ function cliWrapper (cli, jestVersion) {
 
     const result = await runCLI.apply(this, arguments)
 
-    const { results: { success, coverageMap } } = result
+    const {
+      results: {
+        success,
+        coverageMap,
+        numFailedTestSuites,
+        numFailedTests,
+        numTotalTests,
+        numTotalTestSuites
+      }
+    } = result
 
     let testCodeCoverageLinesTotal
     try {
@@ -281,17 +295,30 @@ function cliWrapper (cli, jestVersion) {
     } catch (e) {
       // ignore errors
     }
+    let status, error
+
+    if (success) {
+      if (numTotalTests === 0 && numTotalTestSuites === 0) {
+        status = 'skip'
+      } else {
+        status = 'pass'
+      }
+    } else {
+      status = 'fail'
+      error = new Error(`Failed test suites: ${numFailedTestSuites}. Failed tests: ${numFailedTests}`)
+    }
 
     sessionAsyncResource.runInAsyncScope(() => {
       testSessionFinishCh.publish({
-        status: success ? 'pass' : 'fail',
+        status,
         isSuitesSkipped,
         isSuitesSkippingEnabled,
         isCodeCoverageEnabled,
         testCodeCoverageLinesTotal,
         numSkippedSuites,
         hasUnskippableSuites,
-        hasForcedToRunSuites
+        hasForcedToRunSuites,
+        error
       })
     })
 
@@ -363,23 +390,23 @@ function jestAdapterWrapper (jestAdapter, jestVersion) {
           status = 'fail'
         }
 
-        const coverageFiles = getCoveredFilenamesFromCoverage(environment.global.__coverage__)
-          .map(filename => getTestSuitePath(filename, environment.rootDir))
-
         /**
          * Child processes do not each request ITR configuration, so the jest's parent process
          * needs to pass them the configuration. This is done via _ddTestCodeCoverageEnabled, which
          * controls whether coverage is reported.
-         */
-        if (coverageFiles &&
-          environment.testEnvironmentOptions &&
-          environment.testEnvironmentOptions._ddTestCodeCoverageEnabled) {
+        */
+        if (environment.testEnvironmentOptions?._ddTestCodeCoverageEnabled) {
+          const coverageFiles = getCoveredFilenamesFromCoverage(environment.global.__coverage__)
+            .map(filename => getTestSuitePath(filename, environment.rootDir))
           asyncResource.runInAsyncScope(() => {
             testSuiteCodeCoverageCh.publish([...coverageFiles, environment.testSuite])
           })
         }
         testSuiteFinishCh.publish({ status, errorMessage })
         return suiteResults
+      }).catch(error => {
+        testSuiteFinishCh.publish({ status: 'fail', error })
+        throw error
       })
     })
   })
@@ -508,6 +535,8 @@ addHook({
 
     const jestSuitesToRun = getJestSuitesToRun(skippableSuites, tests, rootDir)
 
+    log.debug(() => `${jestSuitesToRun.suitesToRun.length} out of ${tests.length} suites are going to run.`)
+
     hasUnskippableSuites = jestSuitesToRun.hasUnskippableSuites
     hasForcedToRunSuites = jestSuitesToRun.hasForcedToRunSuites
 

package/packages/datadog-instrumentations/src/knex.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const { addHook, channel } = require('./helpers/instrument')
+const { addHook, channel, AsyncResource } = require('./helpers/instrument')
 const { wrapThen } = require('./helpers/promise')
 const shimmer = require('../../datadog-shimmer')
 
@@ -39,34 +39,41 @@ addHook({
       return raw.apply(this, arguments)
     }
 
+    const asyncResource = new AsyncResource('bound-anonymous-fn')
+
     function finish () {
       finishRawQueryCh.publish()
     }
 
-    startRawQueryCh.publish({ sql, dialect: this.dialect })
+    return asyncResource.runInAsyncScope(() => {
+      startRawQueryCh.publish({ sql, dialect: this.dialect })
 
-    const rawResult = raw.apply(this, arguments)
+      const rawResult = raw.apply(this, arguments)
+      shimmer.wrap(rawResult, 'then', originalThen => function () {
+        return asyncResource.runInAsyncScope(() => {
+          arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
+          if (arguments[1]) arguments[1] = wrapCallbackWithFinish(arguments[1], finish)
 
-    shimmer.wrap(rawResult, 'then', originalThen => function () {
-      arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
-      arguments[1] = wrapCallbackWithFinish(arguments[1], finish)
+          const originalThenResult = originalThen.apply(this, arguments)
 
-      const originalThenResult = originalThen.apply(this, arguments)
+          shimmer.wrap(originalThenResult, 'catch', originalCatch => function () {
+            arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
+            return originalCatch.apply(this, arguments)
+          })
 
-      shimmer.wrap(originalThenResult, 'catch', originalCatch => function () {
-        arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
-        return originalCatch.apply(this, arguments)
+          return originalThenResult
+        })
       })
 
-      return originalThenResult
-    })
+      shimmer.wrap(rawResult, 'asCallback', originalAsCallback => function () {
+        return asyncResource.runInAsyncScope(() => {
+          arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
+          return originalAsCallback.apply(this, arguments)
+        })
+      })
 
-    shimmer.wrap(rawResult, 'asCallback', originalAsCallback => function () {
-      arguments[0] = wrapCallbackWithFinish(arguments[0], finish)
-      return originalAsCallback.apply(this, arguments)
+      return rawResult
     })
-
-    return rawResult
   })
   return Knex
 })

package/packages/datadog-instrumentations/src/mocha.js

@@ -133,11 +133,20 @@ function mochaHook (Runner) {
 
     this.once('end', testRunAsyncResource.bind(function () {
       let status = 'pass'
+      let error
       if (this.stats) {
         status = this.stats.failures === 0 ? 'pass' : 'fail'
+        if (this.stats.tests === 0) {
+          status = 'skip'
+        }
       } else if (this.failures !== 0) {
         status = 'fail'
       }
+
+      if (status === 'fail') {
+        error = new Error(`Failed tests: ${this.failures}.`)
+      }
+
       testFileToSuiteAr.clear()
 
       let testCodeCoverageLinesTotal
@@ -157,7 +166,8 @@ function mochaHook (Runner) {
         testCodeCoverageLinesTotal,
         numSkippedSuites: skippedSuites.length,
         hasForcedToRunSuites: isForcedToRun,
-        hasUnskippableSuites: !!unskippableSuites.length
+        hasUnskippableSuites: !!unskippableSuites.length,
+        error
       })
     }))
 
@@ -396,6 +406,11 @@ addHook({
       const { suitesToRun } = filteredSuites
 
       isSuitesSkipped = suitesToRun.length !== runner.suite.suites.length
+
+      log.debug(
+        () => `${suitesToRun.length} out of ${runner.suite.suites.length} suites are going to run.`
+      )
+
       runner.suite.suites = suitesToRun
 
       skippedSuites = Array.from(filteredSuites.skippedSuites)

package/packages/datadog-instrumentations/src/next.js

@@ -1,7 +1,5 @@
 'use strict'
 
-// TODO: either instrument all or none of the render functions
-
 const { channel, addHook } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
 const { DD_MAJOR } = require('../../../version')
@@ -14,6 +12,9 @@ const bodyParsedChannel = channel('apm:next:body-parsed')
 const queryParsedChannel = channel('apm:next:query-parsed')
 
 const requests = new WeakSet()
+const nodeNextRequestsToNextRequests = new WeakMap()
+
+const MIDDLEWARE_HEADER = 'x-middleware-invoke'
 
 function wrapHandleRequest (handleRequest) {
   return function (req, res, pathname, query) {
@@ -56,18 +57,6 @@ function wrapHandleApiRequestWithMatch (handleApiRequest) {
   }
 }
 
-function wrapRenderToResponse (renderToResponse) {
-  return function (ctx) {
-    return instrument(ctx.req, ctx.res, () => renderToResponse.apply(this, arguments))
-  }
-}
-
-function wrapRenderErrorToResponse (renderErrorToResponse) {
-  return function (ctx) {
-    return instrument(ctx.req, ctx.res, () => renderErrorToResponse.apply(this, arguments))
-  }
-}
-
 function wrapRenderToHTML (renderToHTML) {
   return function (req, res, pathname, query, parsedUrl) {
     return instrument(req, res, () => renderToHTML.apply(this, arguments))
@@ -80,6 +69,18 @@ function wrapRenderErrorToHTML (renderErrorToHTML) {
   }
 }
 
+function wrapRenderToResponse (renderToResponse) {
+  return function (ctx) {
+    return instrument(ctx.req, ctx.res, () => renderToResponse.apply(this, arguments))
+  }
+}
+
+function wrapRenderErrorToResponse (renderErrorToResponse) {
+  return function (ctx) {
+    return instrument(ctx.req, ctx.res, () => renderErrorToResponse.apply(this, arguments))
+  }
+}
+
 function wrapFindPageComponents (findPageComponents) {
   return function (pathname, query) {
     const result = findPageComponents.apply(this, arguments)
@@ -114,7 +115,9 @@ function instrument (req, res, handler) {
   req = req.originalRequest || req
   res = res.originalResponse || res
 
-  if (requests.has(req)) return handler()
+  // TODO support middleware properly in the future?
+  const isMiddleware = req.headers[MIDDLEWARE_HEADER]
+  if (isMiddleware || requests.has(req)) return handler()
 
   requests.add(req)
 
@@ -154,6 +157,11 @@ function finish (ctx, result, err) {
     errorChannel.publish(ctx)
   }
 
+  const maybeNextRequest = nodeNextRequestsToNextRequests.get(ctx.req)
+  if (maybeNextRequest) {
+    ctx.nextRequest = maybeNextRequest
+  }
+
   finishChannel.publish(ctx)
 
   if (err) {
@@ -163,6 +171,24 @@ function finish (ctx, result, err) {
   return result
 }
 
+// also wrapped in dist/server/future/route-handlers/app-route-route-handler.js
+// in versions below 13.3.0 that support middleware,
+// however, it is not provided as a class function or exported property
+addHook({
+  name: 'next',
+  versions: ['>=13.3.0'],
+  file: 'dist/server/web/spec-extension/adapters/next-request.js'
+}, NextRequestAdapter => {
+  shimmer.wrap(NextRequestAdapter.NextRequestAdapter, 'fromNodeNextRequest', fromNodeNextRequest => {
+    return function (nodeNextRequest) {
+      const nextRequest = fromNodeNextRequest.apply(this, arguments)
+      nodeNextRequestsToNextRequests.set(nodeNextRequest.originalRequest, nextRequest)
+      return nextRequest
+    }
+  })
+  return NextRequestAdapter
+})
+
 addHook({
   name: 'next',
   versions: ['>=11.1'],
@@ -175,27 +201,32 @@ addHook({
   file: 'dist/next-server/server/serve-static.js'
 }, serveStatic => shimmer.wrap(serveStatic, 'serveStatic', wrapServeStatic))
 
-addHook({ name: 'next', versions: ['>=13.2'], file: 'dist/server/next-server.js' }, nextServer => {
+addHook({ name: 'next', versions: ['>=11.1'], file: 'dist/server/next-server.js' }, nextServer => {
   const Server = nextServer.default
 
   shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)
-  shimmer.wrap(Server.prototype, 'handleApiRequest', wrapHandleApiRequestWithMatch)
+
+  // Wrapping these makes sure any public API render methods called in a custom server
+  // are traced properly
+  // (instead of wrapping the top-level API methods, just wrapping these covers them all)
   shimmer.wrap(Server.prototype, 'renderToResponse', wrapRenderToResponse)
   shimmer.wrap(Server.prototype, 'renderErrorToResponse', wrapRenderErrorToResponse)
+
   shimmer.wrap(Server.prototype, 'findPageComponents', wrapFindPageComponents)
 
   return nextServer
 })
 
-addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-server.js' }, nextServer => {
+// `handleApiRequest` changes parameters/implementation at 13.2.0
+addHook({ name: 'next', versions: ['>=13.2'], file: 'dist/server/next-server.js' }, nextServer => {
   const Server = nextServer.default
+  shimmer.wrap(Server.prototype, 'handleApiRequest', wrapHandleApiRequestWithMatch)
+  return nextServer
+})
 
-  shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)
+addHook({ name: 'next', versions: ['>=11.1 <13.2'], file: 'dist/server/next-server.js' }, nextServer => {
+  const Server = nextServer.default
   shimmer.wrap(Server.prototype, 'handleApiRequest', wrapHandleApiRequest)
-  shimmer.wrap(Server.prototype, 'renderToResponse', wrapRenderToResponse)
-  shimmer.wrap(Server.prototype, 'renderErrorToResponse', wrapRenderErrorToResponse)
-  shimmer.wrap(Server.prototype, 'findPageComponents', wrapFindPageComponents)
-
   return nextServer
 })
 
@@ -208,8 +239,12 @@ addHook({
 
   shimmer.wrap(Server.prototype, 'handleRequest', wrapHandleRequest)
   shimmer.wrap(Server.prototype, 'handleApiRequest', wrapHandleApiRequest)
+
+  // Likewise with newer versions, these correlate to public API render methods for custom servers
+  // all public ones use these methods somewhere in their code path
   shimmer.wrap(Server.prototype, 'renderToHTML', wrapRenderToHTML)
   shimmer.wrap(Server.prototype, 'renderErrorToHTML', wrapRenderErrorToHTML)
+
   shimmer.wrap(Server.prototype, 'findPageComponents', wrapFindPageComponents)
 
   return nextServer

package/packages/datadog-instrumentations/src/playwright.js

@@ -1,5 +1,6 @@
 const { addHook, channel, AsyncResource } = require('./helpers/instrument')
 const shimmer = require('../../datadog-shimmer')
+const { parseAnnotations } = require('../../dd-trace/src/plugins/util/test')
 
 const testStartCh = channel('ci:playwright:test:start')
 const testFinishCh = channel('ci:playwright:test:finish')
@@ -103,7 +104,11 @@ function testBeginHandler (test) {
   })
 }
 
-function testEndHandler (test, testStatus, error) {
+function testEndHandler (test, annotations, testStatus, error) {
+  let annotationTags
+  if (annotations.length) {
+    annotationTags = parseAnnotations(annotations)
+  }
   const { _requireFile: testSuiteAbsolutePath, results, _type } = test
 
   if (_type === 'beforeAll' || _type === 'afterAll') {
@@ -113,7 +118,7 @@ function testEndHandler (test, testStatus, error) {
   const testResult = results[results.length - 1]
   const testAsyncResource = testToAr.get(test)
   testAsyncResource.runInAsyncScope(() => {
-    testFinishCh.publish({ testStatus, steps: testResult.steps, error })
+    testFinishCh.publish({ testStatus, steps: testResult.steps, error, extraTags: annotationTags })
   })
 
   if (!testSuiteToTestStatuses.has(testSuiteAbsolutePath)) {
@@ -172,7 +177,7 @@ function dispatcherHook (dispatcherExport) {
         const { results } = test
         const testResult = results[results.length - 1]
 
-        testEndHandler(test, STATUS_TO_TEST_STATUS[testResult.status], testResult.error)
+        testEndHandler(test, params.annotations, STATUS_TO_TEST_STATUS[testResult.status], testResult.error)
       }
     })
 
@@ -200,10 +205,10 @@ function dispatcherHookNew (dispatcherExport, runWrapper) {
       const test = getTestByTestId(dispatcher, testId)
       testBeginHandler(test)
     })
-    worker.on('testEnd', ({ testId, status, errors }) => {
+    worker.on('testEnd', ({ testId, status, errors, annotations }) => {
       const test = getTestByTestId(dispatcher, testId)
 
-      testEndHandler(test, STATUS_TO_TEST_STATUS[status], errors && errors[0])
+      testEndHandler(test, annotations, STATUS_TO_TEST_STATUS[status], errors && errors[0])
     })
 
     return worker
@@ -230,7 +235,7 @@ function runnerHook (runnerExport, playwrightVersion) {
       // because they were skipped
       tests.forEach(test => {
         testBeginHandler(test)
-        testEndHandler(test, 'skip')
+        testEndHandler(test, [], 'skip')
       })
     })
 

package/packages/datadog-plugin-http/src/client.js

@@ -76,6 +76,7 @@ class HttpClientPlugin extends ClientPlugin {
   }
 
   finish ({ req, res, span }) {
+    if (!span) return
     if (res) {
       const status = res.status || res.statusCode
 
@@ -98,6 +99,7 @@ class HttpClientPlugin extends ClientPlugin {
   }
 
   error ({ span, error }) {
+    if (!span) return
     if (error) {
       span.addTags({
         [ERROR_TYPE]: error.name,

package/packages/datadog-plugin-jest/src/index.js

@@ -54,11 +54,17 @@ class JestPlugin extends CiPlugin {
       testCodeCoverageLinesTotal,
       numSkippedSuites,
       hasUnskippableSuites,
-      hasForcedToRunSuites
+      hasForcedToRunSuites,
+      error
     }) => {
       this.testSessionSpan.setTag(TEST_STATUS, status)
       this.testModuleSpan.setTag(TEST_STATUS, status)
 
+      if (error) {
+        this.testSessionSpan.setTag('error', error)
+        this.testModuleSpan.setTag('error', error)
+      }
+
       addIntelligentTestRunnerSpanTags(
         this.testSessionSpan,
         this.testModuleSpan,
@@ -150,9 +156,11 @@ class JestPlugin extends CiPlugin {
       })
     })
 
-    this.addSub('ci:jest:test-suite:finish', ({ status, errorMessage }) => {
+    this.addSub('ci:jest:test-suite:finish', ({ status, errorMessage, error }) => {
       this.testSuiteSpan.setTag(TEST_STATUS, status)
-      if (errorMessage) {
+      if (error) {
+        this.testSuiteSpan.setTag('error', error)
+      } else if (errorMessage) {
         this.testSuiteSpan.setTag('error', new Error(errorMessage))
       }
       this.testSuiteSpan.finish()

package/packages/datadog-plugin-mocha/src/index.js

@@ -150,13 +150,19 @@ class MochaPlugin extends CiPlugin {
       testCodeCoverageLinesTotal,
       numSkippedSuites,
       hasForcedToRunSuites,
-      hasUnskippableSuites
+      hasUnskippableSuites,
+      error
     }) => {
       if (this.testSessionSpan) {
         const { isSuitesSkippingEnabled, isCodeCoverageEnabled } = this.itrConfig || {}
         this.testSessionSpan.setTag(TEST_STATUS, status)
         this.testModuleSpan.setTag(TEST_STATUS, status)
 
+        if (error) {
+          this.testSessionSpan.setTag('error', error)
+          this.testModuleSpan.setTag('error', error)
+        }
+
         addIntelligentTestRunnerSpanTags(
           this.testSessionSpan,
           this.testModuleSpan,

package/packages/datadog-plugin-next/src/index.js

@@ -43,7 +43,7 @@ class NextPlugin extends ServerPlugin {
     this.addError(error, span)
   }
 
-  finish ({ req, res }) {
+  finish ({ req, res, nextRequest = {} }) {
     const store = storage.getStore()
 
     if (!store) return
@@ -52,7 +52,8 @@ class NextPlugin extends ServerPlugin {
     const error = span.context()._tags['error']
 
     if (!this.config.validateStatus(res.statusCode) && !error) {
-      span.setTag('error', true)
+      span.setTag('error', req.error || nextRequest.error || true)
+      web.addError(req, req.error || nextRequest.error || true)
     }
 
     span.addTags({
@@ -64,7 +65,7 @@ class NextPlugin extends ServerPlugin {
     span.finish()
   }
 
-  pageLoad ({ page, isAppPath }) {
+  pageLoad ({ page, isAppPath = false }) {
     const store = storage.getStore()
 
     if (!store) return

package/packages/datadog-plugin-playwright/src/index.js

@@ -72,7 +72,7 @@ class PlaywrightPlugin extends CiPlugin {
 
       this.enter(span, store)
     })
-    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error }) => {
+    this.addSub('ci:playwright:test:finish', ({ testStatus, steps, error, extraTags }) => {
       const store = storage.getStore()
       const span = store && store.span
       if (!span) return
@@ -82,6 +82,9 @@ class PlaywrightPlugin extends CiPlugin {
       if (error) {
         span.setTag('error', error)
       }
+      if (extraTags) {
+        span.addTags(extraTags)
+      }
 
       steps.forEach(step => {
         const stepStartTime = step.startTime.getTime()

package/packages/dd-trace/src/appsec/iast/analyzers/analyzers.js

@@ -2,6 +2,7 @@
 
 module.exports = {
   'COMMAND_INJECTION_ANALYZER': require('./command-injection-analyzer'),
+  'HARCODED_SECRET_ANALYZER': require('./hardcoded-secret-analyzer'),
   'HSTS_HEADER_MISSING_ANALYZER': require('./hsts-header-missing-analyzer'),
   'INSECURE_COOKIE_ANALYZER': require('./insecure-cookie-analyzer'),
   'LDAP_ANALYZER': require('./ldap-injection-analyzer'),

package/packages/dd-trace/src/appsec/iast/analyzers/hardcoded-secret-analyzer.js

@@ -0,0 +1,60 @@
+'use strict'
+
+const Analyzer = require('./vulnerability-analyzer')
+const { HARDCODED_SECRET } = require('../vulnerabilities')
+const { getRelativePath } = require('../path-line')
+
+const secretRules = require('./hardcoded-secrets-rules')
+
+class HardcodedSecretAnalyzer extends Analyzer {
+  constructor () {
+    super(HARDCODED_SECRET)
+  }
+
+  onConfigure () {
+    this.addSub('datadog:secrets:result', (secrets) => { this.analyze(secrets) })
+  }
+
+  analyze (secrets) {
+    if (!secrets?.file || !secrets.literals) return
+
+    const matches = secrets.literals
+      .filter(literal => literal.value && literal.locations?.length)
+      .map(literal => {
+        const match = secretRules.find(rule => literal.value.match(rule.regex))
+
+        return match ? { locations: literal.locations, ruleId: match.id } : undefined
+      })
+      .filter(match => !!match)
+
+    if (matches.length) {
+      const file = getRelativePath(secrets.file)
+
+      matches.forEach(match => {
+        match.locations
+          .filter(location => location.line)
+          .forEach(location => this._report({
+            file,
+            line: location.line,
+            column: location.column,
+            data: match.ruleId
+          }))
+      })
+    }
+  }
+
+  _getEvidence (value) {
+    return { value: `${value.data}` }
+  }
+
+  _getLocation (value) {
+    return {
+      path: value.file,
+      line: value.line,
+      column: value.column,
+      isInternal: false
+    }
+  }
+}
+
+module.exports = new HardcodedSecretAnalyzer()