feat(secret_scan): track options usage

ggshield/core/config/user_config.py

@@ -1,3 +1,4 @@
+import json
 import logging
 import re
 from dataclasses import field
@@ -62,6 +63,22 @@ def add_ignored_match(self, secret: IgnoredMatch) -> None:
                 return
         self.ignored_matches.append(secret)
 
+    def dump_for_monitoring(self) -> str:
+        return json.dumps(
+            {
+                "show_secrets": self.show_secrets,
+                "ignored_detectors_count": len(self.ignored_detectors),
+                "ignored_matches_count": len(self.ignored_matches),
+                "ignored_paths_count": len(self.ignored_paths),
+                "ignore_known_secrets_secrets": self.show_secrets,
+                "with_incident_details": self.with_incident_details,
+                "has_prereceive_remediation_message": bool(
+                    self.prereceive_remediation_message
+                ),
+                "all_secrets": self.all_secrets,
+            }
+        )
+
 
 def validate_policy_id(policy_id: str) -> bool:
     return bool(POLICY_ID_PATTERN.fullmatch(policy_id))

ggshield/verticals/secret/secret_scanner.py

@@ -55,7 +55,10 @@ def __init__(
         self.client = client
         self.cache = cache
         self.secret_config = secret_config
-        self.headers = scan_context.get_http_headers()
+        self.headers = scan_context.get_http_headers() | {
+            "scan_options": secret_config.dump_for_monitoring()
+        }
+
         self.command_id = scan_context.command_id
 
         if secret_config.with_incident_details:

tests/unit/verticals/secret/test_secret_scanner.py

@@ -333,6 +333,7 @@ def test_request_headers(scan_mock: Mock, client):
             "GGShield-OS-Version": os_version,
             "GGShield-Python-Version": platform.python_version(),
             "mode": "path",
+            "scan_options": ANY,
         },
         all_secrets=True,
     )