Code Analysis

Try the Beta!

Code Analysis is in public beta.

Overview

Code Analysis displays results for violations found by Static Analysis and Software Composition Analysis (SCA) scans in your repositories.

Static Analysis: Scans your bespoke code for maintainability issues, bugs, performance issues, and security vulnerabilities early in the development lifecycle to catch issues from reaching production and, when possible, provide suggested fixes to help engineering teams address these issues before they impact users.
Software Composition Analysis: Scans the open source libraries that are imported into your repositories for known vulnerabilities.

Datadog Software Composition Analysis can find vulnerable libraries across the software development lifecycle (SDLC). Code Analysis summarizes results found by directly scanning your repositories. To view all vulnerabilities found in repositories and at runtime consolidated together, see Application Security for more details.

After you have configured Code Analysis, you can use the Code Analysis page to see a summary of the results from the Static Analysis and SCA scans for each of your configured repositories. The summarized results are always for the latest commit on the default branch of each repository, which ensures that you are seeing all the existing problems on each repository that you may want to triage and fix.

Select a repository from the list to search through and manage violations for that specific repository. By default, the results are filtered to the latest commit on the default branch of the repository, but you may change the branch or commit at the top of the page. Regardless of the selected branch or commit, all results will be organized into the following views:

Code vulnerabilities on the Code Analysis page for the Datadog Shopist service and repository

Identify and address code security risks detected by Static Analysis in the Code Vulnerabilities view.

Code quality vulnerabilities on the Code Analysis page for the Datadog Shopist service and repository

Identify and address poor coding practices detected by Static Analysis in the Code Quality view.

Library vulnerabilities on the Code Analysis page for the Datadog Shopist service and repository

Identify and address vulnerable open source libraries detected by SCA in the Library Vulnerabilities view.

A list of libraries on the Code Analysis page for the Datadog Shopist service and repository

Manage the full list of libraries detected by SCA that have imported into your codebase in the Library List view.

With Static Analysis, you can receive automated feedback on poor coding practices and security vulnerabilities on the code you write directly in an IDE such as VS Code or IntelliJ & PyCharm, and in your pull requests on GitHub.

Set up Code Analysis on your repository

Click + Add a Repository on the Code Analysis Repositories page and select the relevant programming languages to add Code Analysis to your project. Datadog provides out-of-the-box rulesets for the following languages:

For more information about Static Analysis rulesets, see Static Analysis Rules.

Configure your CI/CD provider

Select a CI/CD provider to configure Code Analysis with:

Static Analysis and GitHub Actions

Static Analysis and CircleCI Orbs

Static Analysis and Generic CI Providers

Software Composition Analysis and GitHub Actions

Software Composition Analysis and Generic CI Providers

Set up the GitHub integration

You must configure a GitHub App using the GitHub integration tile and set up the source code integration to see the offending code snippets as part of the Static Analysis results in the Datadog UI.