Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

If you experience issues setting up or configuring Datadog Code Security, use this page to start troubleshooting. If you continue to have trouble, contact Datadog Support.

Static Code Analysis (SAST)

For issues with the Datadog static analyzer, include the following information in a bug report to Datadog Support.

  • Your static-analysis.datadog.yml file
  • The output of your static analysis tool (such as a CLI) that is run locally or in a CI/CD pipeline
  • The SARIF file produced (if there are any available)
  • The URL of your repository (public or private)
  • The name of the branch you ran the analysis on
  • The exact command line used to run the Datadog Static Analyzer

Performance issues

If you are experiencing performance issues, you can enable the --performance-statistics flag when running the static analysis tool from the command line.

For performance issues, include the following information:

  • Your static-analysis.datadog.yml file
  • The output of your static analysis tool (such as a CLI) that is run locally or in a CI/CD pipeline
  • The URL of your repository (public or private)

Note: If you are using Static Analysis and GitHub Actions, set the enable_performance_statistics parameter to true.

Blocking issues

If you are experiencing issues unrelated to performance or if the Datadog Static Analyzer fails to exit, run the Datadog Static Analyzer with the --debug true --performance-statistics flag.

Getting a 403 error when running the analyzer

Ensure that the following variables are correctly specified: DD_APP_KEY, DD_API_KEY, and DD_SITE when running the analyzer and datadog-ci.

Issues with SARIF uploads

SARIF importing has been tested for Snyk, CodeQL, Semgrep, Checkov, Gitleaks, and Sysdig. Please reach out to Datadog Support if you experience any issues with other SARIF-compliant tools.

When uploading results from third-party static analysis tools to Datadog, ensure that they are in the interoperable Static Analysis Results Interchange Format (SARIF) Format. Node.js version 14 or later is required.

To upload a SARIF report, follow the steps below:

  1. Ensure the DD_API_KEY and DD_APP_KEY variables are defined.

  2. Optionally, set a DD_SITE variable (this default to datadoghq.com).

  3. Install the datadog-ci utility:

    npm install -g @datadog/datadog-ci
  4. Run the third-party static analysis tool on your code and output the results in the SARIF format.

  5. Upload the results to Datadog:

    datadog-ci sarif upload $OUTPUT_LOCATION

If reports are missing in Datadog, please define the following environment variables before invoking datadog-ci:

  • DD_GIT_REPOSITORY_URL: URL of the repository
  • DD_GIT_BRANCH: branch being committed to
  • DD_GIT_COMMIT_SHA: commit sha

SARIF file too large

We are filtering SARIF files that are too large. If your code is not being scanned because your SARIF file is too large, consider the following options:

  • Update your configuration to scan only specific directories.
  • Configure the analyzer to run only the rulesets necessary for your codebase.

Updating the configuration is done either in the Datadog application or using the static-analysis.datadog.yml file.

GLIBC_X.YY not found error message

If you run the static analyzer in your CI pipeline and get an error message similar to the following line:

version `GLIBC_X.YY' not found

It means that you are either:

  • running your CI pipeline with a Linux distribution that contains an old version of the glibc. In this case, Datadog recommends upgrading to the latest version. The analyzer always runs with the latest of Ubuntu/Debian based-systems.
  • running your CI pipeline with a Linux distribution that does not rely on the glibc (such as Alpine Linux). Instead, run your CI pipeline with a distribution that supports the latest version of the glibc (such as the stable version of Ubuntu).

Results are not being surfaced in the Datadog UI

If you are running Code Security on a non-GitHub repository, ensure that the first scan is ran on your default branch (for example, a branch name like master, main, prod, or production). After you commit on your default branch, non-default branches are analyzed. You can always configure your default branch in-app under Repository Settings.

If you are using Datadog’s analyzer, diff-aware scanning is enabled by default. If you running the tool within your CI pipeline, make sure that datadog-ci runs at the root of the repository being analyzed.

Diff-aware is not working

If diff-aware is not working with the Static Analyzer, ensure that:

  1. The default branch is specific to your repository.
  2. At least one revision with the same configuration (for example, same rulesets, same arguments, or only/ignore flags) has been pushed to the repository’s default branch.
  3. The current user can read the repository metadata. If they do not have the correct permissions, run this command: git config --global --add safe.directory <repo-path>.

You can also run datadog-static-analyzer with the --debug option to get more information.

Note: Diff-aware works only on feature branches. For more information, learn about the implementation details of diff-aware.

Software Composition Analysis

For issues with Datadog Software Composition Analysis (SCA), include the following information in a bug report to Datadog Support.

  • The output of your SCA tool (such as CLI) that is run locally or in a CI/CD pipeline
  • The SBOM file produced (if there are any available)
  • The URL of your repository (public or private)
  • The name of the branch you ran the analysis on
  • The list of dependency files in your repository (such as package-lock.json, requirements.txt, or pom.xml)

Issues with SBOM uploads

While the Datadog SBOM generator is recommended, Datadog supports the ingestion of any SBOM files. Please ensure your files adhere to either the Cyclone-DX 1.4 or Cyclone-DX 1.5 formats.

Ingestion of SBOM files is verified for the following third-party tools:

To ingest your SBOM file into Datadog, follow the steps below:

  1. Install the datadog-ci CLI (requires that Node.js is installed).
  2. Ensure that your DD_SITE, DD_API_KEY and DD_APP_KEY environment variables are set.
  3. Invoke the tool to upload the file to Datadog. Installing and invoking the tool can be done using these two commands:
# Install datadog-ci
npm install -g @datadog/datadog-ci

# Upload SBOM file
datadog-ci sbom upload /path/to/sbom-file.json

Results are not being surfaced in the Datadog UI

If you are running static scanning on a non-GitHub repository, ensure that the first scan is ran on your default branch (for example, a branch name like master, main, prod, or production). After you commit on your default branch, non-default branches are analyzed.

You can always configure your default branch in-app under Repository Settings.

No package detected for C# projects

Our SBOM generator, (osv-scanner), extracts dependencies from a packages.lock.json file. If you do not have this file, you can update your project definition to generate it. Follow these instructions to update your project definition to generate a packages.lock.json file.

The generated lock file is used by osv-scanner to extract dependencies and generate an SBOM.

No results from Datadog-hosted scans for a repository using git-lfs

Datadog-hosted scanning for Software Composition Analysis (SCA) does not support repositories that use Git Large File Storage (git-lfs). If your repository uses git-lfs, set up the analysis in a CI pipeline and upload the results to Datadog instead.

No vulnerabilities detected by Software Composition Analysis

There are a series of steps that must run successfully for vulnerability information to appear either in the Software Catalog Security view or in the Vulnerabilities explorer. It is important to check each step when investigating this issue.

Confirming runtime detection is enabled

If you have enabled runtime vulnerability detection on your services, you can use the metric datadog.apm.appsec_host to check if SCA is running.

  1. Go to Metrics > Summary in Datadog.
  2. Search for the metric datadog.apm.appsec_host. If the metric doesn’t exist, then there are no services running ASM. If the metric exists, the services are reported with the metric tags host and service.
  3. Select the metric, and in the Tags section, search for service to see which services are running ASM.

If you are not seeing datadog.apm.appsec_host, check the in-app instructions to confirm that all steps for the initial setup are complete.

Runtime application security data is sent with APM traces. See APM troubleshooting to confirm APM setup and check for connection errors.

Confirm tracer versions are updated

See the Application Security product set up documentation to validate you you are using the right version of the tracer. These minimum versions are required to start sending telemetry data that includes library information.

Ensure the communication of telemetry data

Ensure the DD_INSTRUMENTATION_TELEMETRY_ENABLED environment variable (DD_TRACE_TELEMETRY_ENABLED for Node.js) is set to true, or the corresponding system property for your language is enabled. For example in Java: -Ddd.instrumentation.telemetry.enabled=true.

Runtime Code Analysis (IAST)

Confirm IAST is enabled

Ensure the DD_IAST_ENABLED environment variable is set to true or the corresponding system property for your language is enabled.

Issues with Python and Flask instrumentation

If you’re running a Flask application, ensure that you are calling the ddtrace_iast_flask_patch() function at the top level of the module and before calling app.run(). For more information, see the Flask integration documentation.

Disabling Code Security capabilities

Disabling static repository scanning

To disable scanning Static Code Analysis (SAST) or static Software Composition Analysis:

  • If you are scanning GitHub repositories through Datadog-hosted scanning, navigate to Code Security > Setup, click Enable scanning for your repositories, and disable the toggles previously enabled for scanning either all connected repositories or each repository.
  • If you are scanning source code repositories through your CI pipelines, remove the relevant job(s) from your CI pipelines.

Disabling runtime SCA on your services

SCA can be enabled on your running services using one of the following two methods:

  • From the Datadog UI.
  • Manually, using the DD_APPSEC_SCA_ENABLED environment variable.

To disable SCA, you must use the same method you used to enable SCA.

Note: If you enabled SCA manually, you must disable it manually. You cannot disable it using the UI.

To disable SCA through the UI, you can:

  • Go to the Code Security Setup page and select Activate runtime detection of library vulnerabilities". In this table, you can disable services that were previously activated.


  • Go to Services, select Software Composition Analysis (SCA). Under Coverage, hover over a service’s SCA icon and then click Deactivate.
  • To disable Software Composition Analysis on your services in bulk, click the check box in the list header and then under Bulk Actions select Deactivate Software Composition Analysis (SCA) on x services.

To disable SCA manually:

  • Remove the DD_APPSEC_SCA_ENABLED=true environment variable from your application configuration, and restart your service. This does not apply to PHP applications.

Disabling Runtime Code Analysis (IAST)

To disable IAST, remove the DD_IAST_ENABLED=true environment variable from your application configuration or set it to false as DD_IAST_ENABLED=false, and restart your service.