Set up SCA with GitLab CI/CD

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Run a Datadog Software Composition Analysis (SCA) job in your GitLab CI/CD pipelines.

Datadog Software Composition Analysis CI jobs are only supported on push event triggers. Other event triggers (for example, pull_request) are not supported and can cause issues with the product.

Environment variables

Configure the following environment variables in your GitLab CI/CD settings.

NameDescriptionRequiredDefault
DD_API_KEYYour Datadog API key. This key is created by your Datadog organization and should be stored as a secret.Yes
DD_APP_KEYYour Datadog application key. This key is created by your Datadog organization, must include the code_analysis_read scope, and should be stored as a secret.Yes
DD_SITEThe Datadog site to send information to.Nodatadoghq.com

Set up the pipeline

Add the following to your .gitlab-ci.yml file, or place it in an include section.

.gitlab-ci.yml

# Ensure stages definition is only defined in the root .gitlab-ci.yml file.
stages:
  - software_composition_analysis

variables:
  DD_SITE: "datadoghq.com"
  DD_APP_KEY: "$DD_APP_KEY"
  DD_API_KEY: "$DD_API_KEY"

datadog_software_composition_analysis:
  stage: software_composition_analysis
  image: node:lts
  script:
    - apt-get update && apt-get install -y curl unzip
    - npm install -g @datadog/datadog-ci
    - export DATADOG_SBOM_GENERATOR_URL="https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip"
    - mkdir -p /datadog-sbom-generator
    - curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URL
    - unzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator
    - chmod 755 /datadog-sbom-generator/datadog-sbom-generator
    # Scanning the current repository; adjust the scan directory as needed.
    - /datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json .
    - datadog-ci sbom upload /tmp/sbom.json

The snippet uses the x86_64 Linux version of Datadog’s SBOM generator. If you’re using a different OS or architecture, update the DATADOG_SBOM_GENERATOR_URL accordingly.