";let n=document.getElementById("TableOfContents");n&&(n.innerHTML=e)}rerender(){this.rerenderFilterMenu(),this.rerenderPageContent(),this.populateRightNav(),this.runHooks("afterRerender")}rerenderPageContent(){let e={};Object.keys(this.ifFunctionsByRef).forEach(t=>{let s=this.ifFunctionsByRef[t],o=s.value,n=(0,h.reresolveFunctionNode)(s,{variables:this.selectedValsByTraitId});this.ifFunctionsByRef[t]=n,o!==n.value&&(e[t]=n.value)});let t=document.getElementsByClassName("cdoc__toggleable");for(let n=0;n{this.fitCustomizationMenuToScreen()})}addDropdownEventListeners(){let e=document.getElementsByClassName("cdoc-dropdown");for(let t=0;t{let t=e.target;for(;!t.classList.contains("cdoc-dropdown")&&t.parentElement;)t=t.parentElement;let n=t.classList.toggle("cdoc-dropdown__expanded");t.setAttribute("aria-expanded",n.toString())});document.addEventListener("keydown",e=>{if(e.key==="Enter"){let t=e.target;t.classList.contains("cdoc-filter__option")&&t.click()}}),document.addEventListener("click",t=>{for(let n=0;nthis.handleFilterSelectionChange(e));this.addDropdownEventListeners()}locateFilterSelectorEl(){let e=document.getElementById("cdoc-selector");return!!e&&(this.filterSelectorEl=e,!0)}applyFilterSelectionOverrides(){let s=Object.keys(this.selectedValsByTraitId),e=!1,t=this.browserStorage.getTraitVals();Object.keys(t).forEach(n=>{s.includes(n)&&this.selectedValsByTraitId[n]!==t[n]&&(this.selectedValsByTraitId[n]=t[n],e=!0)});let n=(0,j.getTraitValsFromUrl)({url:new URL(window.location.href),traitIds:s});return Object.keys(n).forEach(t=>{this.selectedValsByTraitId[t]!==n[t]&&(this.selectedValsByTraitId[t]=n[t],e=!0)}),e}updateEditButton(){let t=document.getElementsByClassName("toc-edit-btn")[0];if(!t)return;let e=t.getElementsByTagName("a")[0];e&&(e.href=e.href.replace(/\.md\/$/,".mdoc.md/"))}revealPage(){this.runHooks("beforeReveal"),this.filterSelectorEl&&(this.filterSelectorEl.style.position="sticky",this.filterSelectorEl.style.backgroundColor="white",this.filterSelectorEl.style.paddingTop="10px",this.filterSelectorEl.style.visibility="visible",this.filterSelectorEl.style.zIndex="1000");let e=document.getElementById("cdoc-content");e&&(e.style.visibility="visible"),this.runHooks("afterReveal")}rerenderFilterMenu(){if(!this.filterSelectorEl||!this.filtersManifest)throw new Error("Cannot rerender filter selector without filtersManifest and filterSelectorEl");let e=(0,l.resolveFilters)({filtersManifest:this.filtersManifest,valsByTraitId:this.selectedValsByTraitId});Object.keys(e).forEach(t=>{let n=e[t];this.selectedValsByTraitId[t]=n.currentValue});let t=(0,y.buildCustomizationMenuUi)(e);this.filterSelectorEl.innerHTML=t,this.fitCustomizationMenuToScreen(),this.addFilterSelectorEventListeners()}fitCustomizationMenuToScreen(){let e=document.getElementById(g);if(!e)return;let s=e.classList.contains(n),t=document.getElementById(v);if(!t)throw new Error("Dropdown menu not found");let o=document.getElementById(b);if(!o)throw new Error("Menu wrapper not found");let i=e.scrollWidth>o.clientWidth;!s&&i?(e.classList.add(n),t.classList.remove(n)):s&&!i&&(e.classList.remove(n),t.classList.add(n))}get cdocsState(){return{selectedValsByTraitId:this.selectedValsByTraitId,ifFunctionsByRef:this.ifFunctionsByRef,filtersManifest:this.filtersManifest,browserStorage:this.browserStorage,filterSelectorEl:this.filterSelectorEl}}};e.ClientFiltersManager=r,t=r,s={value:void 0}}),y=e(e=>{Object.defineProperty(e,"__esModule",{value:!0});var t=j();window.clientFiltersManager=t.ClientFiltersManager.instance}),y()})()Set up SCA in your repositories
Cette page n'est pas encore disponible en français, sa traduction est en cours. Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.
Overview
Datadog Software Composition Analysis (SCA) scans your repositories for open-source libraries and detects known security vulnerabilities before you ship to production.
When installing a GitHub App, the following permissions are required to enable certain features:
Content: Read, which allows you to see code snippets displayed in Datadog
Pull Request: Read & Write, which allows Datadog to add feedback for violations directly in your pull requests using pull request comments.
Checks: Read & Write, which allows you to create checks on SAST violations to block pull requests
Repositories from Azure DevOps are supported in closed Preview. Your Azure DevOps organizations must be connected to a Microsoft Entra tenant. Join the Preview.
If Azure DevOps is your source code management provider, before you can begin installation, you must request access to the closed Preview using the form above. After being granted access, follow the instructions below to complete the setup process.
Note: Azure DevOps Server is not supported.
Create and register a Microsoft Entra app
If you are an admin in your Azure portal, you can configure Entra apps to connect your tenant to Datadog.
In Activate scanning for your repositories, click Manage Repositories.
Select CI Pipelines.
Select the scan types you want to use.
Select Azure DevOps as your source code management provider.
If this is your first time connecting an Azure DevOps organization to Datadog, click Connect Azure DevOps Account.
When connecting a Microsoft Entra tenant for the first time you will need to go to your Azure Portal to register a new application. During this creation process, ensure the following:
You select Accounts in this organizational directory only (Datadog, Inc. only - Single tenant) as the account type.
Set the redirect URI to Web and paste the URI given to you in the instructions.
Copy the values for Application (client) ID and Directory (tenant) ID and paste them into Datadog.
In the Azure Portal for your app registration, navigate to Manage > Certificates & secrets and switch to Client secrets.
Click New client secret and create a secret with your desired description and expiration values.
Copy and paste the string in the Value column for your new secret, paste it into Datadog, and click Create Configuration to complete connecting your Entra tenant to Datadog.
Add one or more Azure DevOps organizations by pasting the organization slug into Datadog and then adding your Service Principal as a user by going to Organization settings > Users > Add users.
Your Service Principal will need the Basic access level and at least the Project Contributor security group.
Click Submit Organization.
Configure project service hooks
To enable all Code Security features in Azure DevOps, you’ll need to use a Datadog API key to configure service hooks for your projects.
First, set your environment variables (note: the Datadog UI will fill these values out for you):
exportAZURE_DEVOPS_TOKEN="..."# Client Secret ValueexportDD_API_KEY="..."# Datadog API Key
Then, replace the placeholders in the script below with your Datadog Site and Azure DevOps organization name to configure the necessary service hooks on your organization’s projects:
Click here to see our CLI that automates this process.
Repositories from GitLab instances are supported in closed Preview. Join the Preview.
If GitLab is your source code management provider, before you can begin installation, you must request access to the closed Preview using the form above. After being granted access, follow these instructions to complete the setup process.
If you are using another source code management provider, configure SCA to run in your CI pipelines using the datadog-ci CLI tool and upload the results to Datadog.
Authentication
To upload results to Datadog, you must be authenticated. To ensure you’re authenticated, configure the following environment variables:
Name
Description
Required
Default
DD_API_KEY
Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret.
Yes
DD_APP_KEY
Your Datadog application key. This key, created by your Datadog organization, should include the code_analysis_read scope and be stored as a secret.
Yes
DD_SITE
The Datadog site to send information to. Your Datadog site is .
No
datadoghq.com
Running options
There are two ways to run SCA scans from within your CI Pipelines:
You can run SCA scans automatically as part of your CI/CD workflows using built-in integrations for popular CI providers.
GitHub Actions
SCA can run as a job in your GitHub Actions workflows. The action provided below invokes Datadog’s recommended SBOM tool, Datadog SBOM Generator, on your codebase and uploads the results into Datadog.
Add the following code snippet in .github/workflows/datadog-sca.yml.
Make sure to replace the dd_site attribute with the Datadog site you are using.
datadog-sca.yml
on:[push]name:Datadog Software Composition Analysisjobs:software-composition-analysis:runs-on:ubuntu-latestname:Datadog SBOM Generation and Uploadsteps:- name:Checkoutuses:actions/checkout@v3- name:Check imported libraries are secure and compliantid:datadog-software-composition-analysisuses:DataDog/datadog-sca-github-action@mainwith:dd_api_key:${{ secrets.DD_API_KEY }}dd_app_key:${{ secrets.DD_APP_KEY }}dd_site:"datadoghq.com"
To add a new pipeline in Azure DevOps, go to Pipelines > New Pipeline, select your repository, and then create/select a pipeline.
Add the following content to your Azure DevOps pipeline YAML file:
datadog-sca.yml
trigger:branches:include:# Optionally specify a specific branch to trigger on when merging- "*"pr:branches:include:- "*"variables:- group:"Datadog"jobs:- job:DatadogSoftwareCompositionAnalysisdisplayName:"Datadog Software Composition Analysis"steps:- script:| npm install -g @datadog/datadog-ci
export DATADOG_OSV_SCANNER_URL="https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip"
mkdir -p /tmp/datadog-sbom-generator
curl -L -o /tmp/datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_OSV_SCANNER_URL
unzip /tmp/datadog-sbom-generator/datadog-sbom-generator.zip -d /tmp/datadog-sbom-generator
chmod 755 /tmp/datadog-sbom-generator/datadog-sbom-generator
/tmp/datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json .
datadog-ci sbom upload /tmp/sbom.jsonenv:DD_APP_KEY:$(DD_APP_KEY)DD_API_KEY:$(DD_API_KEY)DD_SITE:datadoghq.com
For all other providers, use the customizable script in the section below to run SCA scans and upload results to Datadog.
Run Via Customizable Script
If you use a different CI provider or want more control, you can run SCA scans using a customizable script. This approach lets you manually install and run the scanner, then upload results to Datadog from any environment.
For non-GitHub repositories, run your first scan on the default branch. If your branch name is custom (not master, main, default, stable, source, prod, or develop), upload once and set the default branch in Repository Settings.
Prerequisites:
Unzip
Node.js 14 or later
# Set the Datadog site to send information toexportDD_SITE=""# Install dependenciesnpm install -g @datadog/datadog-ci
# Download the latest Datadog SBOM Generator:# https://github.com/DataDog/datadog-sbom-generator/releasesDATADOG_SBOM_GENERATOR_URL=https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip
# Install Datadog SBOM Generatormkdir /datadog-sbom-generator
curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URLunzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator
chmod 755 /datadog-sbom-generator/datadog-sbom-generator
# Run Datadog SBOM Generator to scan your dependencies/datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json /path/to/repository
# Upload results to Datadogdatadog-ci sbom upload /tmp/sbom.json
This script uses the Linux x86_64 datadog-sbom-generator. For other systems, update the download URL. See all releases here.
Upload third-party SBOM to Datadog
Datadog recommends using the Datadog SBOM generator, but it is also possible to ingest a third-party SBOM.
You can upload SBOMs generated by other tools if they meet these requirements:
Third-party SBOM files are uploaded to Datadog using the datadog-ci command.
You can use the following command to upload your third-party SBOM. Ensure the environment variables DD_API_KEY, DD_APP_KEY, and DD_SITE
are set to your API key, APP key, and Datadog site, respectively.
Datadog associates static code and library scan results with relevant services by using the following mechanisms:
Identifying the code location in the Software Catalog
The schema version v3 and later of the Software Catalog allows you to add the mapping of your code location for your service. The codeLocations section specifies the location of the repository containing the code and its associated paths.
The paths attribute is a list of globs that should match paths in the repository.
Datadog detects file usage in additional products such as Error Tracking and associate
files with the runtime service. For example, if a service called foo has
a log entry or a stack trace containing a file with a path /modules/foo/bar.py,
it associates files /modules/foo/bar.py to service foo.
Detecting service name in paths and repository names
Datadog detects service names in paths and repository names, and associates the file with the service if a match is found.
For a repository match, if there is a service called myservice and
the repository URL is https://github.com/myorganization/myservice.git, then,
it associates myservice to all files in the repository.
If no repository match is found, Datadog attempts to find a match in the
path of the file. If there is a service named myservice, and the path is /path/to/myservice/foo.py, the file is associated with myservice because the service name is part of the path. If two services are present
in the path, the service name closest to the filename is selected.
If one method succeeds (in order), no further mapping attempts are made.
Link results to teams
Datadog automatically associates the team attached to a service when a violation or vulnerability is detected. For example, if the file domains/ecommerce/apps/myservice/foo.py
is associated with myservice, then the team myservice will be associated to any violation
detected in this file.
If no services or teams are found, Datadog uses the CODEOWNERS file in your repository. The CODEOWNERS file determines which team owns a file in your Git provider.
Note: You must accurately map your Git provider teams to your Datadog teams for this feature to function properly.