Software Composition Analysis and GitHub Actions

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Run a Datadog Software Composition Analysis job in your GitHub Action workflows.

SBOM Generation

The GitHub Action generates a SBOM report automatically based on dependencies declared in your repository.

The GitHub Action works for the following languages and following files:

  • JavaScript/TypeScript: package-lock.json and yarn.lock
  • Python: requirements.txt (with version defined) and poetry.lock
  • Java: pom.xml
  • C#
  • Ruby
  • … and more languages (listed in the documentation)


Set up keys

Add DD_APP_KEY and DD_API_KEY as secrets in your GitHub Actions Settings.


Add the following code snippet in .github/workflows/datadog-sca.yml.

on: [push]

name: Datadog Software Composition Analysis

    runs-on: ubuntu-latest
    name: Datadog SBOM Generation and Upload
    - name: Checkout
      uses: actions/checkout@v3
    - name: Check imported libraries are secure and compliant
      id: datadog-software-composition-analysis
      uses: DataDog/datadog-sca-github-action@main
        dd_api_key: ${{ secrets.DD_API_KEY }}
        dd_app_key: ${{ secrets.DD_APP_KEY }}
        dd_service: my-app
        dd_env: ci

Further Reading

Additional helpful documentation, links, and articles: