Overview
A Git hook is a program executed before a user commits code to a repository
or pushes code to a remote location. A Git hook is generally used to run verifications
and enforce requirements on the code before it is pushed to the remote branch.
Datadog Code Security provides a Git hook to check for static analysis
violations or secrets before code is pushed or committed. The Datadog Code Security Git hook
checks the code from the latest commit and the default branch and surfaces
any errors it detects.
The Datadog Git hook warns developers before they push any code
containing coding errors, vulnerabilities, or secrets. When you commit code with an
error, a prompt like the following appears in the user terminal:
Setup
- Download the
datadog-git-hook
program from the release page or the Datadog Static Analyzer
releases. - Install the program on your computer.
- Add a
.git/hooks/pre-push
file in the repository with the script below. Note: The script assumes the datadog-static-analyzer-git-hook
binary is in /usr/local/bin/datadog-static-analyzer-git-hook
.
#!/bin/sh
# Get the repo root path
repo_path=$(git rev-parse --show-toplevel)
# Make sure the user can provide some input
exec < /dev/tty
/usr/local/bin/datadog-static-analyzer-git-hook -r $repo_path --static-analysis --secrets --confirmation --default-branch <default-branch>
if [ $? -eq 0 ]; then
echo "datadog-static-analyzer check passed"
exit 0
else
echo "datadog-static-analyzer check failed"
exit 1
fi
The program accepts the following parameters:
--confirmation
: Ask the user for confirmation to override the Git hook check--default-branch
: Specify the name of the default branch.--static-analysis
: Enable static analysis.--secrets
: Enable secrets detection (private beta).--output <file>
: Export the findings found in the commit into a SARIF file.