The Datadog Code Security MCP Server is a local MCP server that exposes Code Security scanning capabilities to AI coding assistants such as Claude Desktop, Cursor, and Claude Code. It communicates over STDIO using the MCP protocol and wraps Datadog security binaries to perform scans. It can also be used as a CLI tool.

Available tools

The MCP server exposes the following tools that AI coding assistants can call to run security scans on your codebase:

For detailed parameters, required binaries, and output formats for each tool, see the Tools Reference.

Setup

Prerequisites

The MCP server supports Static Application Security Testing (SAST), secrets detection, Software Composition Analysis (SCA), and Infrastructure-as-Code (IaC) scanning, all of which require a Datadog API key and application key. For instructions on creating them, see API and Application Keys.

Install the MCP server

The MCP server is available on the following platforms:

Homebrew (recommended)

brew update
brew install --cask datadog-labs/pack/datadog-code-security-mcp

GitHub releases

curl -L "https://github.com/datadog-labs/datadog-code-security-mcp/releases/latest/download/datadog-code-security-mcp-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m).tar.gz" | tar xz
sudo install -m 755 datadog-code-security-mcp /usr/local/bin/

Run the following command to verify the installation:

datadog-code-security-mcp version

Install security binaries

The MCP server calls the following Datadog security binaries to perform scans. Install the ones you need for the scan types you want to use:

Configure your client

Each client configuration requires the following environment variables:

*Required for SAST, Secrets, SCA, and IaC scanning. SBOM generation works without authentication.

claude mcp add datadog-code-security \
  -e DD_API_KEY=<your-api-key> \
  -e DD_APP_KEY=<your-app-key> \
  -e DD_SITE=datadoghq.com \
  -- datadog-code-security-mcp start

claude mcp list | grep datadog-code-security

{
    "mcpServers": {
        "datadog-code-security": {
            "command": "datadog-code-security-mcp",
            "args": ["start"],
            "env": {
                "DD_API_KEY": "<your-api-key>",
                "DD_APP_KEY": "<your-app-key>",
                "DD_SITE": "datadoghq.com"
            }
        }
    }
}

{
    "mcpServers": {
        "datadog-code-security": {
            "command": "datadog-code-security-mcp",
            "args": ["start"],
            "env": {
                "DD_API_KEY": "<your-api-key>",
                "DD_APP_KEY": "<your-app-key>",
                "DD_SITE": "datadoghq.com"
            }
        }
    }
}

{
    "mcp": {
        "servers": {
            "datadog-code-security": {
                "command": "datadog-code-security-mcp",
                "args": ["start"],
                "env": {
                    "DD_API_KEY": "<your-api-key>",
                    "DD_APP_KEY": "<your-app-key>",
                    "DD_SITE": "datadoghq.com"
                }
            }
        }
    }
}

Usage examples

AI assistant prompts

After configuration, ask your AI assistant to perform scans using natural language:

CLI commands

The MCP server can also be used directly as a CLI tool.

Run a comprehensive scan across all scan types:

datadog-code-security-mcp scan all ./src

Run individual scan types:

datadog-code-security-mcp scan sast ./src
datadog-code-security-mcp scan secrets ./config
datadog-code-security-mcp scan sca ./
datadog-code-security-mcp scan iac ./terraform

Generate an SBOM:

datadog-code-security-mcp generate-sbom .

Add --json to any command for JSON output:

datadog-code-security-mcp scan all ./src --json
datadog-code-security-mcp generate-sbom . --json

Further Reading

Más enlaces, artículos y documentación útiles:

Identify common security risks in MCP serversBLOG Datadog MCP Server for cloud-based access to Datadog featuresDOCUMENTATION