Static Analysis and GitHub Actions
Overview
Run a Datadog Static Analysis job in your GitHub Action workflows. This action wraps the Datadog Static Analyzer,
invokes it against your codebase, and uploads the results to Datadog.
Workflow
Create a file in .github/workflows to run a Datadog Static Analysis job.
The following is a sample workflow file.
on: [push]
jobs:
check-quality:
runs-on: ubuntu-latest
name: Datadog Static Analyzer
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Check code meets quality standards
id: datadog-static-analysis
uses: DataDog/datadog-static-analyzer-github-action@v1
with:
dd_app_key: ${{ secrets.DD_APP_KEY }}
dd_api_key: ${{ secrets.DD_API_KEY }}
dd_service: "my-service"
dd_env: "ci"
dd_site: "datadoghq.com"
cpu_count: 2
enable_performance_statistics: false
You must set your Datadog API and application keys as secrets in your GitHub repository whether at the organization or repository level. Ensure that you add the code_analysis_read scope to your Datadog application key. For more information, see API and Application Keys.
Make sure to replace dd_site with the Datadog site you are using3.
You can set the following parameters for Static Analysis.
| Name | Description | Required | Default |
|---|
dd_api_key | Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret. | Yes | |
dd_app_key | Your Datadog application key. This key is created by your Datadog organization and should be stored as a secret. | Yes | |
dd_service | The service you want your results tagged with. | Yes | |
dd_env | The environment you want your results tagged with. Datadog recommends using ci as the value for this input. | No | none |
dd_site | The Datadog site to send information to. | No | datadoghq.com |
cpu_count | Set the number of CPUs used to by the analyzer. | No | 2 |
enable_performance_statistics | Get the execution time statistics for analyzed files. | No | false |
debug | Lets the analyzer print additional logs useful for debugging. To enable, set to yes. | No | no |
subdirectory | A subdirectory pattern or glob (or space-delimited subdirectory patterns) that the analysis should be limited to. For example: “src” or “src packages”. | false | |
architecture | The CPU architecture to use for the analyzer. Supported values are x86_64 and aarch64. | No | x86_64 |
diff_aware | Enable diff-aware scanning mode. | No | true |
secrets_enabled | Enable secrets detection (in private beta) | No | false |
Notes
- Diff-aware scanning only scans the files modified by a commit when analyzing feature branches. Diff-aware is enabled by default. To disable diff-aware scanning, set the GitHub action
diff_aware parameter to false. - Secrets scanning is in private beta. To enable secrets scanning, please contact your Datadog customer success manager.
Customizing rules
By default, Datadog Static Analyzer detects the languages of your codebase and uses the default rulesets to analyze
your codebase.
To specify and customize the rulesets, add a static-analysis.datadog.yml file to your repository’s root directory to define which rulesets to use.
rulesets:
- <ruleset-name>
- <ruleset-name>
Refer to the Datadog documentation for a complete list of rulesets.
Example for Python
Here is an example for Python-based repositories:
rulesets:
- python-code-style
- python-best-practices
- python-inclusive
Other useful GitHub Actions
Datadog Software Composition Analysis (SCA) also offers the ability to scan your dependencies
and detect vulnerabilities and licenses. You can use this product with the datadog-sca-github-action.
Further Reading
Additional helpful documentation, links, and articles:
