This product is not supported for your selected Datadog site. ().
Overview
Datadog Software Composition Analysis (SCA) scans your repositories for open-source libraries and detects known security vulnerabilities before you ship to production.
Datadog-hosted SCA scanning is not supported for repositories that: - Contain file names longer than 255 characters For these cases, use CI Pipelines.
Scan in CI pipelines
Datadog Static Code Analysis runs in your CI pipelines using the datadog-ci CLI.
Configure your Datadog API and application keys by adding DD_APP_KEY and DD_API_KEY as secrets. Make sure the application key has the code_analysis_read scope.
Note: You must scan your default branch at least once before results appear in Code Security.
Select your source code management provider
Datadog SCA supports all source code management providers, with native support for GitHub, GitLab, and Azure DevOps.
If you are using another source code management provider, configure SCA to run in your CI pipelines using the datadog-ci CLI tool and upload the results to Datadog.
Authentication
To upload results to Datadog, you must be authenticated. To ensure you’re authenticated, configure the following environment variables:
Name
Description
Required
Default
DD_API_KEY
Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret.
Yes
DD_APP_KEY
Your Datadog application key. This key, created by your Datadog organization, should include the code_analysis_read scope and be stored as a secret.
Yes
DD_SITE
The Datadog site to send information to. Your Datadog site is .
No
datadoghq.com
Running options
There are two ways to run SCA scans from within your CI Pipelines:
You can run SCA scans automatically as part of your CI/CD workflows using built-in integrations for popular CI providers.
Datadog Software Composition Analysis CI jobs are only supported on push event trigger. Other event triggers (pull_request, for example) are not supported and can cause issues with the product.
GitHub Actions
SCA can run as a job in your GitHub Actions workflows. The action provided below invokes Datadog’s recommended SBOM tool, Datadog SBOM Generator, on your codebase and uploads the results into Datadog.
Add the following code snippet in .github/workflows/datadog-sca.yml.
Make sure to replace the dd_site attribute with the Datadog site you are using.
datadog-sca.yml
on:[push]name:Datadog Software Composition Analysisjobs:software-composition-analysis:runs-on:ubuntu-latestname:Datadog SBOM Generation and Uploadsteps:- name:Checkoutuses:actions/checkout@v3- name:Check imported libraries are secure and compliantid:datadog-software-composition-analysisuses:DataDog/datadog-sca-github-action@mainwith:dd_api_key:${{ secrets.DD_API_KEY }}dd_app_key:${{ secrets.DD_APP_KEY }}dd_site:"datadoghq.com"
To add a new pipeline in Azure DevOps, go to Pipelines > New Pipeline, select your repository, and then create/select a pipeline.
Add the following content to your Azure DevOps pipeline YAML file:
datadog-sca.yml
trigger:branches:include:# Optionally specify a specific branch to trigger on when merging- "*"variables:- group:"Datadog"jobs:- job:DatadogSoftwareCompositionAnalysisdisplayName:"Datadog Software Composition Analysis"steps:- script:| npm install -g @datadog/datadog-ci
export DATADOG_OSV_SCANNER_URL="https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip"
mkdir -p /tmp/datadog-sbom-generator
curl -L -o /tmp/datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_OSV_SCANNER_URL
unzip /tmp/datadog-sbom-generator/datadog-sbom-generator.zip -d /tmp/datadog-sbom-generator
chmod 755 /tmp/datadog-sbom-generator/datadog-sbom-generator
/tmp/datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json .
datadog-ci sbom upload /tmp/sbom.jsonenv:DD_APP_KEY:$(DD_APP_KEY)DD_API_KEY:$(DD_API_KEY)DD_SITE:datadoghq.com
For all other providers, use the customizable script in the section below to run SCA scans and upload results to Datadog.
Run Via Customizable Script
If you use a different CI provider or want more control, you can run SCA scans using a customizable script. This approach lets you manually install and run the scanner, then upload results to Datadog from any environment.
For non-GitHub repositories, run your first scan on the default branch. If your branch name is custom (not master, main, default, stable, source, prod, or develop), upload once and set the default branch in Repository Settings.
Prerequisites:
Unzip
Node.js 14 or later
# Set the Datadog site to send information toexportDD_SITE=""# Install dependenciesnpm install -g @datadog/datadog-ci
# Download the latest Datadog SBOM Generator:# https://github.com/DataDog/datadog-sbom-generator/releasesDATADOG_SBOM_GENERATOR_URL=https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip
# Install Datadog SBOM Generatormkdir /datadog-sbom-generator
curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URLunzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator
chmod 755 /datadog-sbom-generator/datadog-sbom-generator
# Run Datadog SBOM Generator to scan your dependencies/datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json /path/to/repository
# Upload results to Datadogdatadog-ci sbom upload /tmp/sbom.json
This script uses the Linux x86_64 datadog-sbom-generator. For other systems, update the download URL. See all releases here.
Upload third-party SBOM to Datadog
Datadog recommends using the Datadog SBOM generator, but it is also possible to ingest a third-party SBOM.
You can upload SBOMs generated by other tools if they meet these requirements:
Third-party SBOM files are uploaded to Datadog using the datadog-ci command.
You can use the following command to upload your third-party SBOM. Ensure the environment variables DD_API_KEY, DD_APP_KEY, and DD_SITE
are set to your API key, APP key, and Datadog site, respectively.
Datadog associates static code and library scan results with relevant services by using the following mechanisms:
Identifying the code location in the Software Catalog
The schema version v3 and later of the Software Catalog allows you to add the mapping of your code location for your service. The codeLocations section specifies the location of the repository containing the code and its associated paths.
The paths attribute is a list of globs that should match paths in the repository.
Datadog detects file usage in additional products such as Error Tracking and associate
files with the runtime service. For example, if a service called foo has
a log entry or a stack trace containing a file with a path /modules/foo/bar.py,
it associates files /modules/foo/bar.py to service foo.
Detecting service name in paths and repository names
Datadog detects service names in paths and repository names, and associates the file with the service if a match is found.
For a repository match, if there is a service called myservice and
the repository URL is https://github.com/myorganization/myservice.git, then,
it associates myservice to all files in the repository.
If no repository match is found, Datadog attempts to find a match in the
path of the file. If there is a service named myservice, and the path is /path/to/myservice/foo.py, the file is associated with myservice because the service name is part of the path. If two services are present
in the path, the service name closest to the filename is selected.
If one method succeeds (in order), no further mapping attempts are made.
Link results to teams
Datadog automatically associates the team attached to a service when a violation or vulnerability is detected. For example, if the file domains/ecommerce/apps/myservice/foo.py
is associated with myservice, then the team myservice will be associated to any violation
detected in this file.
If no services or teams are found, Datadog uses the CODEOWNERS file in your repository. The CODEOWNERS file determines which team owns a file in your Git provider.
Note: You must accurately map your Git provider teams to your Datadog teams for this feature to function properly.
Filter by reachable vulnerabilities
Datadog offers static reachability analysis to help teams assess whether vulnerable code paths in dependencies are referenced within their application code. This capability supports more effective prioritization by identifying vulnerabilities that are statically unreachable and therefore present minimal immediate risk.
This functionality is supported only when using the Datadog SBOM Generator with the --reachability flag enabled or when running scans through Datadog-hosted infrastructure.
Reachability analysis is available exclusively for Java projects and applies only to a defined set of vetted security advisories. Vulnerabilities not included in this set are excluded from reachability evaluation.
Supported advisories
Static reachability analysis is available for the following advisories:
