--- title: Code Security description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog IDE Plugins > Datadog Extension for VS Code & Cursor > Code Security --- # Code Security {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Overview{% #overview %} The Datadog extension for VS Code and Cursor helps you detect and fix security issues before you commit your changes. Static Code Analysis catches vulnerabilities, bugs, and maintainability issues. Secret Scanning finds exposed credentials such as API keys, tokens, and passwords. ## Static Code Analysis{% #static-code-analysis %} The extension runs [Static Code Analysis](https://docs.datadoghq.com/security/code_security/static_analysis.md) rules on the source files in your workspace. It flags security vulnerabilities, bugs, and maintainability issues before you commit your changes. Static Code Analysis supports many programming languages. For a complete list, see [Static Code Analysis Rules](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules.md). Issues are shown in the source code editor, and you can apply suggested fixes directly. {% video url="https://docs.dd-static.net/images//ide_plugins/vscode/static_analysis.mp4" /%} ### Get started with Static Code Analysis{% #get-started-with-static-code-analysis %} When you open a source file, the extension looks for [`static-analysis.datadog.yml`](https://github.com/DataDog/datadog-static-analyzer/blob/main/doc/legacy_config.md) at your repository root and prompts you to create one if it does not exist. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-onboard.ef32fc573882fe234b1353ef48eaadfe.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-onboard.ef32fc573882fe234b1353ef48eaadfe.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Onboarding banner for setting up Static Code Analysis with Python files" /%} After you create the configuration file, the analyzer runs automatically in the background when you open a file. To enable Static Code Analysis for a specific language, run the `Datadog: Configure Static Analysis Languages` command from the command palette (`Shift` + `Cmd/Ctrl` + `P`). To analyze an entire folder or workspace, right-click a folder in the file explorer and select **Datadog Code Security > Analyze Folder** or **Analyze Workspace**. ### Rule editor{% #rule-editor %} Write and test [custom Static Code Analysis rules](https://docs.datadoghq.com/security/code_security/static_analysis/custom_rules.md) without leaving your IDE. Use the rule editor to design detection logic for internal standards, security patterns, or maintainability checks specific to your codebase. To open the rule editor, run the `Datadog: New DDSA Rule` command from the command palette (`Shift` + `Cmd/Ctrl` + `P`), or right-click a YAML file in the file explorer and select **Datadog Code Security > Open in DDSA Rule Editor**. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-rule-editor.5d5f05a2a1c7c7f01858343988356f01.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/static-analysis-rule-editor.5d5f05a2a1c7c7f01858343988356f01.png?auto=format&fit=max&w=850&dpr=2 2x" alt="SAST rule editor in the Datadog extension for VS Code" /%} The rule editor provides the following panels. - A **Tree-sitter query editor** for pattern matching against the abstract syntax tree. - A **JavaScript rule panel** for expressing detection logic and reporting violations. - **Compliant and non-compliant test files** that run against the rule as you edit, with expected and actual match counts shown in real time. - An **AST tree view** showing how the parser represents your test code. Import an existing rule from disk, or export a finished rule and upload it to Datadog. ## Secret Scanning{% #secret-scanning %} The extension runs [Secret Scanning](https://docs.datadoghq.com/security/code_security/secret_scanning.md) on the source files in your workspace. It flags exposed credentials such as API keys, tokens, and passwords before you commit your changes. File contents are scanned locally, and findings are shown in the editor as you type. {% video url="https://docs.dd-static.net/images//ide_plugins/vscode/secret_scanning.mp4" /%} ### Get started with Secret Scanning{% #get-started-with-secret-scanning %} Secret Scanning is enabled by default and runs in the background whenever you open a source file. To scan an entire folder or workspace, right-click a folder in the file explorer and select **Datadog Code Security > Analyze Folder** or **Analyze Workspace**. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-batch-analysis.17e4daf34848f0a0665ce6cb3a489905.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-batch-analysis.17e4daf34848f0a0665ce6cb3a489905.png?auto=format&fit=max&w=850&dpr=2 2x" alt="Batch analysis report with a Secret Scanning section listing findings per file" /%} No local configuration is required; the scan rules are fetched from Datadog. All text files are scanned, and binary files are skipped. {% alert level="info" %} Secret Scanning requires you to be signed in to Datadog, because detection rules are fetched from your Datadog organization. {% /alert %} ### Review findings{% #review-findings %} Detected secrets are shown in three places: - **Inline in the editor**: Each finding appears as an underline on the detected secret, with severity derived from the rule's priority. - **Problems panel**: All findings are listed with the source `Datadog`. - **File Insights view**: Findings are grouped alongside other Code Security issues. {% image source="https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-findings.b79b1198f129354199db97c8ead4ce2d.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/ide_plugins/vscode/secret-scanning-findings.b79b1198f129354199db97c8ead4ce2d.png?auto=format&fit=max&w=850&dpr=2 2x" alt="A detected secret shown inline in the editor with a hover diagnostic, alongside the Problems panel and the File Insights view" /%} ### Suppress a finding{% #suppress-a-finding %} To suppress an individual detection, use the code action for the flagged secret to insert a `no-dd-secrets` comment on the line above. The comment suppresses all secret findings on the following line. ### Turn Secret Scanning on or off{% #turn-secret-scanning-on-or-off %} To toggle Secret Scanning, run the `Datadog: Turn on Secret Scanning` or `Datadog: Turn off Secret Scanning` command from the command palette (`Shift` + `Cmd/Ctrl` + `P`), or change the `datadog.codeSecurity.setup.secretScanning.enabled` setting. ## Further reading{% #further-reading %} - [Learn more about Code Security](https://docs.datadoghq.com/security/code_security.md) - [Static Analysis Rules](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules.md) - [Learn more about Secret Scanning](https://docs.datadoghq.com/security/code_security/secret_scanning.md)