Set up SCA with GitLab CI/CD

Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Run a Datadog Software Composition Analysis (SCA) job in your GitLab CI/CD pipelines.

Datadog Software Composition Analysis CI jobs are only supported on push event triggers. Other event triggers (for example, pull_request) are not supported and can cause issues with the product.

Environment variables

Configure the following environment variables in your GitLab CI/CD settings.

NameDescriptionRequiredDefault
DD_API_KEYYour Datadog API key. This key is created by your Datadog organization and should be stored as a secret.Yes
DD_APP_KEYYour Datadog application key. This key is created by your Datadog organization, must include the code_analysis_read scope, and should be stored as a secret.Yes
DD_SITEThe Datadog site to send information to.Nodatadoghq.com

Set up the pipeline

Add the following to your .gitlab-ci.yml file, or place it in an include section.

.gitlab-ci.yml

# Ensure stages definition is only defined in the root .gitlab-ci.yml file.
stages:
  - software_composition_analysis

variables:
  DD_SITE: "datadoghq.com"
  DD_APP_KEY: "$DD_APP_KEY"
  DD_API_KEY: "$DD_API_KEY"

datadog_software_composition_analysis:
  stage: software_composition_analysis
  image: node:lts
  script:
    - apt-get update && apt-get install -y curl unzip
    - npm install -g @datadog/datadog-ci
    - export DATADOG_SBOM_GENERATOR_URL="https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip"
    - mkdir -p /datadog-sbom-generator
    - curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URL
    - unzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator
    - chmod 755 /datadog-sbom-generator/datadog-sbom-generator
    # Scanning the current repository; adjust the scan directory as needed.
    - /datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json .
    - datadog-ci sbom upload /tmp/sbom.json

The snippet uses the x86_64 Linux version of Datadog’s SBOM generator. If you’re using a different OS or architecture, update the DATADOG_SBOM_GENERATOR_URL accordingly.