Software Composition Analysis and GitHub Actions
Run a Datadog Software Composition Analysis job in your GitHub Action workflows.
SBOM Generation
The GitHub Action generates a SBOM report automatically based on dependencies declared in your repository.
The GitHub Action works for the following languages and following files:
- JavaScript/TypeScript:
package-lock.json
and yarn.lock
- Python:
requirements.txt
(with version defined) and poetry.lock
- Java:
pom.xml
- C#
- Ruby
- … and more languages (listed in the documentation)
Setup
Set up keys
Add DD_APP_KEY
and DD_API_KEY
as secrets in your GitHub Actions Settings.
Workflow
Add the following code snippet in .github/workflows/datadog-sca.yml
.
on: [push]
name: Datadog Software Composition Analysis
jobs:
software-composition-analysis:
runs-on: ubuntu-latest
name: Datadog SBOM Generation and Upload
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Check imported libraries are secure and compliant
id: datadog-software-composition-analysis
uses: DataDog/datadog-sca-github-action@main
with:
dd_api_key: ${{ secrets.DD_API_KEY }}
dd_app_key: ${{ secrets.DD_APP_KEY }}
dd_service: my-app
dd_env: ci
dd_site:
Further Reading
Additional helpful documentation, links, and articles: