Software Composition Analysis and GitHub Actions

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Run a Datadog Software Composition Analysis job in your GitHub Action workflows.

Library Inventory Generation

The GitHub Action generates an inventory of libraries automatically based on the libraries that are declared in your repository.

The GitHub Action works for the following languages and following files:

  • JavaScript/TypeScript: package-lock.json and yarn.lock
  • Python: requirements.txt (with version defined) and poetry.lock
  • Java: pom.xml
  • C#
  • Ruby
  • … and more languages (listed in the documentation)

Setup

Set up keys

Add DD_APP_KEY and DD_API_KEY as secrets in your GitHub Actions Settings.

Workflow

Add the following code snippet in .github/workflows/datadog-sca.yml.

on: [push]

name: Datadog Software Composition Analysis

jobs:
  software-composition-analysis:
    runs-on: ubuntu-latest
    name: Datadog SBOM Generation and Upload
    steps:
    - name: Checkout
      uses: actions/checkout@v3
    - name: Check imported libraries are secure and compliant
      id: datadog-software-composition-analysis
      uses: DataDog/datadog-sca-github-action@main
      with:
        dd_api_key: ${{ secrets.DD_API_KEY }}
        dd_app_key: ${{ secrets.DD_APP_KEY }}
        dd_service: my-app
        dd_env: ci
        dd_site:

Further Reading

Additional helpful documentation, links, and articles: