[AGENTRUN-1319][incident-55119] Scrub additional endpoints

[nathan-b]

What does this PR do?

There are two formats for additional endpoints / dual shipping, and we only scrub one format. Add scrubbing for the second format, which doesn't give useful hints in the YAML keys so we have to get a little creative.

Motivation

Don't leak API keys in configs included as flare data

Describe how you validated your changes

Automated testing

[Copilot]

Pull request overview

Adds YAML scrubbing for the second additional_endpoints config schema (a list of structured endpoint maps with fields like api_key, host, port), which previously leaked API keys when configs were collected (e.g. via flares). The existing URL-keyed map schema is also covered via aggressive leaf-value scrubbing.

Changes:

• New additionalEndpointsYaml replacer keyed on ^additional_endpoints$ that branches on subtree shape: maps are scrubbed at every leaf via the new scrubAllLeafValues helper, while lists are re-scrubbed via ScrubDataObj so existing key-based replacers (e.g. api_key) handle the structured form.
• New scrubAllLeafValues helper that recursively rewrites leaf scalars to defaultReplacement, preserving structure and nil.
• Table-driven tests covering URL-keyed maps (keys/siblings preserved, API keys scrubbed) and the structured logs_config.additional_endpoints form (only api_key scrubbed; host/port/path preserved).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File	Description
pkg/util/scrubber/default.go	Adds the additional_endpoints YAML replacer and the scrubAllLeafValues helper.
pkg/util/scrubber/yaml_scrubber_test.go	Adds unit tests for both additional_endpoints schemas.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7508c02a0e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve ENC placeholders in additional_endpoints values

ScrubDataObj normally preserves ENC[...] strings, but scrubAllLeafValues now replaces every non-nil leaf under additional_endpoints with "********". For configs that use secret-backend placeholders inside URL-keyed additional_endpoints maps, this commit will scrub the placeholder itself instead of preserving it, which is a behavior regression compared with other sensitive keys and can remove useful diagnostics in flare output.

Useful? React with 👍 / 👎.

[datadog-prod-us1-6]

✨ Fix all issues with BitsAI

⚠️ Warnings

🚦 1 Pipeline job failed

DataDog/datadog-agent | oracle: [21.3.0-xe]     

🛟 This job is unlikely to succeed on retry. Please review your pipeline configuration.

Failed to ping oracle instance: ORA-12514: TNS:listener does not currently know of service requested in connect descriptor.

ℹ️ Info

🎯 Code Coverage (details)
• Patch Coverage: 78.12%
• Overall Coverage: 50.37% (-0.01%)

Useful? React with 👍 / 👎

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 7508c02 | Docs | Datadog PR Page | Give us feedback!}

[dd-octo-sts]

Files inventory check summary

File checks results against ancestor f52d9768:

Results for datadog-agent_7.81.0~devel.git.241.7508c02.pipeline.115274968-1_amd64.deb:

No change detected

[dd-octo-sts]

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor f52d976
📊 Static Quality Gates Dashboard
🔗 SQG Job

Successful checks

Info

	Quality gate	Change	Size (prev → curr → max)
✅	agent_deb_amd64	+48.0 KiB (0.01% increase, -0.98% of buffer)	745.998 → 746.045 → 750.800
✅	agent_deb_amd64_fips	+44.0 KiB (0.01% increase, -8.15% of buffer)	703.772 → 703.815 → 704.300
✅	agent_heroku_amd64	+4.0 KiB (0.00% increase, -0.11% of buffer)	310.724 → 310.728 → 314.260
✅	agent_rpm_amd64	+48.0 KiB (0.01% increase, -0.98% of buffer)	745.982 → 746.029 → 750.770
✅	agent_rpm_amd64_fips	+44.0 KiB (0.01% increase, -7.90% of buffer)	703.756 → 703.799 → 704.300
✅	agent_rpm_arm64	+32.0 KiB (0.00% increase, -3.31% of buffer)	723.556 → 723.587 → 724.500
✅	agent_rpm_arm64_fips	+40.0 KiB (0.01% increase, -10.01% of buffer)	684.480 → 684.519 → 684.870
✅	agent_suse_amd64	+48.0 KiB (0.01% increase, -0.98% of buffer)	745.982 → 746.029 → 750.770
✅	agent_suse_amd64_fips	+44.0 KiB (0.01% increase, -7.90% of buffer)	703.756 → 703.799 → 704.300
✅	agent_suse_arm64	+32.0 KiB (0.00% increase, -3.31% of buffer)	723.556 → 723.587 → 724.500
✅	agent_suse_arm64_fips	+40.0 KiB (0.01% increase, -10.01% of buffer)	684.480 → 684.519 → 684.870
✅	docker_agent_amd64	+40.0 KiB (0.00% increase, -21.52% of buffer)	806.159 → 806.198 → 806.340
✅	docker_agent_arm64	+32.0 KiB (0.00% increase, -1.97% of buffer)	808.534 → 808.565 → 810.120
✅	docker_agent_jmx_amd64	+39.99 KiB (0.00% increase, -7.49% of buffer)	997.078 → 997.117 → 997.600
✅	docker_agent_jmx_arm64	+31.99 KiB (0.00% increase, -1.99% of buffer)	988.232 → 988.263 → 989.800
✅	docker_cluster_agent_amd64	+8.0 KiB (0.00% increase, -1.23% of buffer)	207.074 → 207.082 → 207.710
✅	docker_cluster_agent_arm64	+64.0 KiB (0.03% increase, -32.15% of buffer)	221.016 → 221.078 → 221.210
✅	docker_dogstatsd_amd64	+4.0 KiB (0.01% increase, -6.45% of buffer)	39.499 → 39.503 → 39.560
✅	docker_host_profiler_amd64	+8.94 KiB (0.00% increase, -0.06% of buffer)	302.092 → 302.101 → 315.880
✅	dogstatsd_deb_amd64	+8.0 KiB (0.03% increase, -1.23% of buffer)	30.155 → 30.163 → 30.790
✅	dogstatsd_deb_arm64	+4.0 KiB (0.01% increase, -0.39% of buffer)	28.280 → 28.284 → 29.290
✅	dogstatsd_rpm_amd64	+8.0 KiB (0.03% increase, -1.23% of buffer)	30.155 → 30.163 → 30.790
✅	dogstatsd_suse_amd64	+8.0 KiB (0.03% increase, -1.23% of buffer)	30.155 → 30.163 → 30.790
✅	iot_agent_deb_amd64	+4.0 KiB (0.01% increase, -0.54% of buffer)	44.504 → 44.508 → 45.230
✅	iot_agent_deb_arm64	+4.0 KiB (0.01% increase, -0.29% of buffer)	41.468 → 41.472 → 42.800
✅	iot_agent_deb_armhf	+4.0 KiB (0.01% increase, -0.50% of buffer)	42.177 → 42.181 → 42.960
✅	iot_agent_rpm_amd64	+4.0 KiB (0.01% increase, -0.54% of buffer)	44.504 → 44.508 → 45.230
✅	iot_agent_suse_amd64	+4.0 KiB (0.01% increase, -0.54% of buffer)	44.504 → 44.508 → 45.230

4 successful checks with minimal change (< 2 KiB)

	Quality gate	Current Size
✅	docker_cws_instrumentation_amd64	7.154 MiB
✅	docker_cws_instrumentation_arm64	6.689 MiB
✅	docker_dogstatsd_arm64	37.690 MiB
✅	docker_host_profiler_arm64	313.592 MiB

[cit-pr-commenter-54b7da]

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: ce395071-dfbd-421e-929b-a989f2aa5a2b

Baseline: f52d976
Comparison: 7508c02
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	docker_containers_cpu	% cpu utilization	-0.58	[-3.49, +2.34]	1	Logs

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	otlp_ingest_logs	memory utilization	+0.50	[+0.41, +0.59]	1	Logs
➖	ddot_metrics	memory utilization	+0.36	[+0.16, +0.56]	1	Logs
➖	quality_gate_idle	memory utilization	+0.31	[+0.26, +0.36]	1	Logs bounds checks dashboard
➖	tcp_syslog_to_blackhole	ingress throughput	+0.28	[+0.07, +0.49]	1	Logs
➖	otlp_ingest_metrics	memory utilization	+0.27	[+0.11, +0.43]	1	Logs
➖	quality_gate_idle_all_features	memory utilization	+0.24	[+0.18, +0.30]	1	Logs bounds checks dashboard
➖	file_tree	memory utilization	+0.23	[+0.18, +0.27]	1	Logs
➖	ddot_logs	memory utilization	+0.08	[+0.01, +0.14]	1	Logs
➖	quality_gate_logs	% cpu utilization	+0.07	[-0.94, +1.08]	1	Logs bounds checks dashboard
➖	uds_dogstatsd_to_api	ingress throughput	+0.02	[-0.18, +0.22]	1	Logs
➖	file_to_blackhole_100ms_latency	egress throughput	+0.00	[-0.15, +0.16]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	-0.00	[-0.10, +0.09]	1	Logs
➖	uds_dogstatsd_to_api_v3	ingress throughput	-0.01	[-0.21, +0.20]	1	Logs
➖	file_to_blackhole_500ms_latency	egress throughput	-0.03	[-0.44, +0.38]	1	Logs
➖	file_to_blackhole_1000ms_latency	egress throughput	-0.03	[-0.48, +0.42]	1	Logs
➖	ddot_metrics_sum_cumulative	memory utilization	-0.04	[-0.19, +0.12]	1	Logs
➖	uds_dogstatsd_20mb_12k_contexts_20_senders	memory utilization	-0.06	[-0.11, -0.01]	1	Logs
➖	file_to_blackhole_0ms_latency	egress throughput	-0.10	[-0.67, +0.47]	1	Logs
➖	ddot_metrics_sum_cumulativetodelta_exporter	memory utilization	-0.23	[-0.46, +0.01]	1	Logs
➖	docker_containers_memory	memory utilization	-0.42	[-0.52, -0.31]	1	Logs
➖	docker_containers_cpu	% cpu utilization	-0.58	[-3.49, +2.34]	1	Logs
➖	ddot_metrics_sum_delta	memory utilization	-0.73	[-0.92, -0.55]	1	Logs
➖	quality_gate_metrics_logs	memory utilization	-0.81	[-1.06, -0.56]	1	Logs bounds checks dashboard

Bounds Checks: ✅ Passed

perf	experiment	bounds_check_name	replicates_passed	observed_value	links
✅	docker_containers_cpu	simple_check_run	10/10	692 ≥ 26
✅	docker_containers_memory	memory_usage	10/10	248.74MiB ≤ 370MiB
✅	docker_containers_memory	simple_check_run	10/10	713 ≥ 26
✅	file_to_blackhole_0ms_latency	memory_usage	10/10	0.16GiB ≤ 1.20GiB
✅	file_to_blackhole_0ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_1000ms_latency	memory_usage	10/10	0.20GiB ≤ 1.20GiB
✅	file_to_blackhole_1000ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_100ms_latency	memory_usage	10/10	0.17GiB ≤ 1.20GiB
✅	file_to_blackhole_100ms_latency	missed_bytes	10/10	0B = 0B
✅	file_to_blackhole_500ms_latency	memory_usage	10/10	0.18GiB ≤ 1.20GiB
✅	file_to_blackhole_500ms_latency	missed_bytes	10/10	0B = 0B
✅	quality_gate_idle	intake_connections	10/10	3 ≤ 4	bounds checks dashboard
✅	quality_gate_idle	memory_usage	10/10	142.32MiB ≤ 147MiB	bounds checks dashboard
✅	quality_gate_idle	total_bytes_received	10/10	742.19KiB ≤ 819.20KiB	bounds checks dashboard
✅	quality_gate_idle_all_features	intake_connections	10/10	2 ≤ 4	bounds checks dashboard
✅	quality_gate_idle_all_features	memory_usage	10/10	435.32MiB ≤ 495MiB	bounds checks dashboard
✅	quality_gate_idle_all_features	total_bytes_received	10/10	1.13MiB ≤ 1.25MiB	bounds checks dashboard
✅	quality_gate_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_logs	memory_usage	10/10	181.74MiB ≤ 195MiB	bounds checks dashboard
✅	quality_gate_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_logs	total_bytes_received	10/10	264.37MiB ≤ 292MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	cpu_usage	10/10	345.04 ≤ 2000	bounds checks dashboard
✅	quality_gate_metrics_logs	intake_connections	10/10	3 ≤ 6	bounds checks dashboard
✅	quality_gate_metrics_logs	memory_usage	10/10	379.38MiB ≤ 430MiB	bounds checks dashboard
✅	quality_gate_metrics_logs	missed_bytes	10/10	0B = 0B	bounds checks dashboard
✅	quality_gate_metrics_logs	total_bytes_received	10/10	0.94GiB ≤ 1.04GiB	bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

✅ Passed. All Quality Gates passed.

• quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
• quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
• quality_gate_idle, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check total_bytes_received: 10/10 replicas passed. Gate passed.
• quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.