Static Analysis is not available for the site.
Static Analysis is a clear-box software testing technique that analyzes a program’s pre-production code without the need to execute the program, meaning that the program is static because it isn’t running. Static Analysis helps you identify maintainability issues and security vulnerabilities early in the Software Development Life Cycle (SDLC) to ensure only the highest quality, most secure code makes it to production. Static Analysis tools that scan for security vulnerabilities are also commonly referred to as Static Application Security Testing (SAST) tools.
Using Static Analysis provides organizations with the following benefits:
- Static Analysis takes the guesswork out of adhering to an organization’s code standards, enabling your development team to ship compliant code without significant impacts to developer velocity.
- An organization’s applications are less vulnerable to security breaches over time, due to new vulnerabilities being caught through SAST scans before code reaches production.
- New developers to an organization are able to onboard faster because Static Analysis enables an organization to maintain a more readable codebase over time.
- An organization’s software becomes reliable over time by virtue of the code being more maintainable because the risk of a developer introducing new defects to the code is minimized.
With Static Analysis, you can integrate feedback on code reviews for various languages in any CI platform provider of choice. See the documentation for information about the following integrations:
With Static Analysis, you can get real-time feedback as you edit a file in your Integrated Development Environment (IDE). See the documentation for information about the following integrations:
To use Datadog Static Analysis, add a
static-analysis.datadog.yml file to your repository’s root directory to specify which rulesets to use.
For example, for Python rules:
static-analysis.datadog.yml file supports the following:
|A list of ruleset names. View all available rulesets.|
|A list of relative paths to ignore. It supports using globbing patterns.|
|Determines whether Datadog Static Analysis analyzes the content in a |
Configure your Datadog API and application keys and run Static Analysis in the respective CI provider.
If you don’t use CircleCI Orbs or GitHub Actions, you can run the Datadog CLI directly in your CI pipeline platform.
Configure the following environment variables:
|Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret.||Yes|
|Your Datadog application key. This key is created by your Datadog organization and should be stored as a secret.||Yes|
|The Datadog site to send information to. Your Datadog site is |
Provide the following inputs:
|The name of the service to tag the results with.||Yes|
|The environment to tag the results with. |
ci is a helpful value for this input.
|Set the number of CPUs used by the analyzer. Defaults to the number of CPUs available.||No|
|The subdirectory path the analysis should be limited to. The path is relative to the root directory of the repository.||No|
Add a `--performance-statistics` flag to your static analysis command to get execution time statistics for analyzed files.
Select an analyzer for your architecture and OS:
Add the following to your CI pipeline:
The following example uses the x86_64 Linux version of Datadog's static analyzer. If you're using a different OS or architecture, you should select it from the table above and update the DATADOG_STATIC_ANALYZER_URL value below. You can view all releases on our GitHub Releases
# Install dependencies
npm install -g @datadog/datadog-ci
# Download the latest Datadog static analyzer:
curl -L $DATADOG_STATIC_ANALYZER_URL > /tmp/ddog-static-analyzer.zip
unzip /tmp/ddog-static-analyzer.zip -d /tmp
mv /tmp/datadog-static-analyzer /usr/local/datadog-static-analyzer
# Run Static Analysis
/usr/local/datadog-static-analyzer -i . -o /tmp/report.sarif -f sarif
# Upload results
datadog-ci sarif upload /tmp/report.sarif --service <service> --env <env>
Upload third-party static analysis results to Datadog
SARIF importing has been tested for Snyk, CodeQL, Semgrep, Checkov, Gitleaks, and Sysdig. Please reach out to Datadog Support
if you experience any issues with other SARIF-compliant tools.
You can send results from third-party static analysis tools to Datadog, provided they are in the interoperable Static Analysis Results Interchange Format (SARIF) Format.
To upload a SARIF report:
DD_APP_KEY variables are defined.
Optional: Set a
DD_SITE variable (default:
npm install -g @datadog/datadog-ci
Run the third-party static analysis tool on your code and output the results in the SARIF format.
Upload the results to Datadog:
datadog-ci sarif upload $OUTPUT_LOCATION --service <datadog-service> --env <datadog-env>
Run Static Analysis in a CI pipeline
Datadog Static Analysis runs in your CI pipelines using the
datadog-ci CLI and checks your code against Datadog’s default rulesets.
Search and filter results
After you configure your CI pipelines to run the Datadog Static Analyzer, violations appear on the Static Analysis Results page. To filter your results, use the facets to the left of the list, or search.
Each violation is associated with a specific commit and branch from your repository on which the CI pipeline ran. The rows represent every violation per commit.
Click on a violation to open a side panel that contains information about the scope of the violation and where it originated.
The content of the violation is shown in tabs:
- Source Code: A description of the violation and the lines of code that caused it. To see the offending code snippet, configure the Datadog GitHub App.
- Fixes: One or more code fixes that can resolve the violation, which you can copy and paste.
- Event: JSON metadata regarding the Static Analysis violation event.
Using suggested fixes
In Datadog Static Analysis, there are two types of suggested fixes:
- Default Suggested Fix: For simple violations like linting issues, the rule analyzer automatically provides templated fixes.
- AI Suggested Fix: For complex violations, fixes are typically not available beforehand. Instead, you can use AI Suggested Fixes, which use OpenAI’s GPT-4 to generate a suggested fix. You can choose between “Text” and “Unified Diff” fixes, which outputs plain text instructions or a code change for resolving the violation, respectively.
The two types of fixes are distinguished visually in the UI with different labels.
Default Suggested Fixes:
AI Suggested Fixes:
You can ignore a specific instance of a violation by commenting
no-dd-sa above the line of code to ignore. This prevents that line from ever producing a violation. For example, in the following Python code snippet, the line
foo = 1 would be ignored by Static Analysis scans.
foo = 1
bar = 2
Additional helpful documentation, links, and articles: