Run a Datadog secrets scanning job in your GitHub Action workflows. This action wraps the Datadog Static Analyzer (that scans for secrets), invokes it against your codebase, and uploads the results to Datadog.

Workflow

Create a file in .github/workflows to run a Datadog secrets scanning job.

The following is a sample workflow file.

on: [push]

jobs:
  check-quality:
    runs-on: ubuntu-latest
    name: Datadog Static Analyzer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check code meets quality standards
        id: datadog-static-analysis
        uses: DataDog/datadog-static-analyzer-github-action@v1
        with:
          dd_app_key: ${{ secrets.DD_APP_KEY }}
          dd_api_key: ${{ secrets.DD_API_KEY }}
          dd_site: "datadoghq.com"
          cpu_count: 2
          enable_performance_statistics: false
          static_analysis_enabled: false
          secrets_enabled: true

You must set your Datadog API and application keys as secrets in your GitHub repository, at either the organization or repository level. Ensure that you add the code_analysis_read scope to your Datadog application key. For more information, see API and Application Keys.

Make sure to replace dd_site with the Datadog site you are using.

Inputs

You can set the following parameters for Static Code Analysis.