Static Analysis Setup

Code Analysis is not available for the site.

Try the Beta!

Code Analysis is in public beta.

Overview

To use Datadog Static Analysis, add a static-analysis.datadog.yml file to your repository’s root directory and specify which rulesets you want to include for your programming language(s).

Copy and paste the Code Quality and Security rulesets from the available options for Python on the Code Analysis Setup page

Select one or multiple programming languages and choose which rulesets you want to copy and use on the Code Analysis Setup page.

Add a Static Analysis YAML file to your project

You can include the following options in the static-analysis.datadog.yml file:

NameDescriptionRequiredDefault
rulesetsA list of ruleset names. View all available rulesets.true
ignore-pathsA list of relative paths to ignore. It supports using globbing patterns.false
ignore-gitignoreDetermines whether Datadog Static Analysis analyzes the content in a .gitignore file.falsefalse

For example, you can use the following:

rulesets:
  - python-best-practices
  - python-security
  - python-code-style
  - python-inclusive
  - python-design
ignore-paths:
  - "path/to/ignore"
  - "**.js"

This example contains Python and JavaScript rulesets for code quality and security:

rulesets: 
- python-best-practices           # ensure best practices are followed
- python-code-style               # code-style enforcement for Python
- python-design                   # check basic design rules
- python-inclusive                # ensure that we use inclusive wording in our codebase
- python-security                 # ensure your Python code is safe and secure
- javascript-best-practices       # ensure best practices are followed
- javascript-code-style           # code-style enforcement for JavaScript
- javascript-inclusive            # ensure that we use inclusive wording in our codebase
- javascript-common-security      # ensure your JavaScript code is safe and secure

Set up the GitHub integration

You must configure a GitHub App using the GitHub integration tile and set up the source code integration to see the offending code snippets as part of the Static Analysis results in the Datadog UI.

Configure your CI/CD provider

Datadog Static Analysis runs in your CI pipelines using the datadog-ci CLI and checks your code against Datadog’s default rulesets. Configure your Datadog API and application keys and run Static Analysis in the respective CI provider.

See the documentation for information about the following integrations:


Upload third-party static analysis results to Datadog

SARIF importing has been tested for Snyk, CodeQL, Semgrep, Checkov, Gitleaks, and Sysdig. Please reach out to Datadog Support if you experience any issues with other SARIF-compliant tools.

You can send results from third-party static analysis tools to Datadog, provided they are in the interoperable Static Analysis Results Interchange Format (SARIF) Format. Node.js version 14 or later is required.

To upload a SARIF report:

  1. Ensure the DD_API_KEY and DD_APP_KEY variables are defined.

  2. Optionally, set a DD_SITE variable (this default to datadoghq.com).

  3. Install the datadog-ci utility:

    npm install -g @datadog/datadog-ci
    
  4. Run the third-party static analysis tool on your code and output the results in the SARIF format.

  5. Upload the results to Datadog:

    datadog-ci sarif upload $OUTPUT_LOCATION --service <datadog-service> --env <datadog-env>
    

Further Reading