Code Analysis

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!
Join the Preview!

Code Analysis is in Preview.

Code Analysis is not available for the site.

Overview

Datadog Software Composition Analysis can find vulnerable libraries across the software development lifecycle (SDLC). Code Analysis summarizes results found by directly scanning your repositories. To view all vulnerabilities found in repositories and at runtime consolidated together, see Application Security for more details.

Code Analysis scans your repositories to find security vulnerabilities and code quality issues. It encompasses two capabilities: Static Analysis for your first-party code, and Software Composition Analysis (SCA) for open-source dependencies in your codebase.

Static Analysis
Scans your bespoke code for maintainability issues, bugs, performance issues, and security vulnerabilities early in the development lifecycle to catch issues from reaching production and, when possible, provide suggested fixes to help engineering teams address these issues before they impact users.
Software Composition Analysis
Scans the open source libraries that are imported into your repositories for known security vulnerabilities, license risks, and end-of-life libraries.

Set up Code Analysis on your repository

Click + Add a Repository on the Code Analysis Repositories page and choose to run the scans directly in Datadog or in your CI pipelines.

Datadog-hosted scans are supported by Software Composition Analysis (SCA) and GitHub repositories only. To enable Static Analysis or use a different CI provider, run scans in your CI pipelines instead.

With Datadog-hosted scans, your code is scanned within Datadog’s infrastructure as opposed to within your CI pipeline. Datadog reads your code, runs the static analyzer to perform Static Analysis and/or Software Composition Analysis, and uploads the results.

Using Datadog-hosted scans eliminates the need for you to configure a CI pipeline so you can use Code Analysis.

To enable Software Composition Analysis on GitHub repositories, click Select Repositories on your desired GitHub account and click the toggle for Enable Software Composition Analysis (SCA) to enable for all repositories. If you don’t see any GitHub accounts listed, create a new GitHub App to get started.

Enable Software Composition Analysis on all repositories for your GitHub account

Optionally, you can select specific GitHub repositories to enable SCA by clicking the toggle for each repository.

Enable Software Composition Analysis on a GitHub repository

If you do not want to run your scans directly through Datadog, you can select which scans you’d like to run (Static Analysis and Software Composition Analysis) and configure your CI pipeline provider accordingly.

Configure your CI/CD provider

See the following documentation to configure your CI/CD provider to run Static Analysis and SCA scans:

Set up the GitHub integration

You can configure a GitHub App by using the GitHub integration tile and setting up the source code integration to see the offending code snippets as part of the Static Analysis results in Datadog.

Link to GitHub from the Code Analysis view

For more information, see the Source Code Integration documentation.

Static Analysis integrations

With Static Analysis, you can receive automated feedback on poor coding practices and security vulnerabilities on the code you write directly in an IDE such as VS Code or IntelliJ & PyCharm, and in your pull requests on GitHub.

A Static Analysis result in Visual Studio Code

Search and manage repositories

After you have configured Code Analysis, you can see a summary of the results from the Static Analysis and SCA scans for each of your repositories on the Code Analysis page. By default, the summarized results are shown for the latest scanned commit on the default branch of the repository, which ensures that you are seeing all the existing problems on each repository that you may want to triage and fix.

A list of repositories with code and library scan results on the Code Analysis page

Select a repository from the list to search through and manage violations for that specific repository. By default, results are shown for the latest scanned commit on the default branch of the repository, but you may change the branch or commit at the top of the page. Results can also be filtered by service or team facets. For more information about how results are linked to Datadog services and teams, see Getting Started with Code Analysis.

Regardless of the selected branch or commit, all results are organized into the following views:

Code vulnerabilities on the Code Analysis page for the Datadog Shopist service and repository

Identify and address code security risks detected by Static Analysis in the Code Vulnerabilities view.

Code quality vulnerabilities on the Code Analysis page for the Datadog Shopist service and repository

Identify and address poor coding practices detected by Static Analysis in the Code Quality view.

Library vulnerabilities on the Code Analysis page for the Datadog Shopist service and repository

Identify and address vulnerable open source libraries detected by SCA in the Library Vulnerabilities view.

A list of libraries on the Code Analysis page for the Datadog Shopist service and repository

Manage the full list of libraries detected by SCA that have imported into your codebase in the Library Catalog view.

Further Reading