ci: add Copilot instructions for PII and security review [SVLS-8660]

litianningdatadog · claude · litianningdatadog · commit 4e4302cb845b · 2026-03-30T12:13:57.000-04:00
- Add .github/copilot-instructions.md to steer Copilot auto-review
  toward security-relevant patterns
- Flag PII in log statements: HTTP headers/bodies, user-identifiable
  fields, secrets — covering all tracing macro forms including
  unqualified info!/debug!/warn!/error! used via use tracing::{...}
- Flag new unsafe blocks with required safety invariant explanation
- Flag silently swallowed errors (.ok(), let _ = result) and
  panicking operations (.unwrap()/.expect()) in network/input paths

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,29 @@
+# Copilot Code Review Instructions
+
+## Security — PII and Secrets
+
+Flag any logging statements (`log::info!`, `log::debug!`, `log::warn!`, `log::error!`,
+`tracing::info!`, `tracing::debug!`, `tracing::warn!`, `tracing::error!`, or unqualified
+`info!`, `debug!`, `warn!`, `error!` macros (e.g., via `use tracing::{info, debug, warn, error}`))
+that may log:
+- HTTP request/response headers (Authorization, Cookie, X-API-Key, or similar)
+- HTTP request/response bodies or raw payloads
+- Any PII fields (e.g., email, name, user_id, ip_address, phone, ssn, date_of_birth)
+- API keys, tokens, secrets, or credentials
+- Structs or types that contain any of the above fields
+- `SendData` values or any variable that contains a `SendData` object (e.g.,
+  `traces_with_tags` or similar variables built via `.with_api_key(...).build()`),
+  since these embed the Datadog API key
+
+Suggest redacting or omitting the sensitive field rather than logging it.
+
+## Security — Unsafe Rust
+
+Flag new `unsafe` blocks and explain what invariant the author must uphold to make the
+block safe. If there is a safe alternative, suggest it.
+
+## Security — Error Handling
+
+Flag cases where errors are silently swallowed (empty `catch`, `.ok()` without
+handling, `let _ = result`) or where operations like `.unwrap()`/`.expect()` may panic,
+in code paths that handle external input or network responses.
