GitHub Pull Requests

Overview

Code Security integrates with GitHub pull requests in two ways: Pull request comments to flag violations

Example of a Code Security comment on a pull request

To enable these features, ensure you have the required GitHub permissions (Read & Write) for your repository.

Set up Code Security for GitHub pull requests

Enable Datadog Code Security

To use Datadog Code Security, add the appropriate configuration files to your repository, as described in the setup instructions.

Configure a GitHub App

To use Code Security on GitHub, you can do one of the following:

  • Create a GitHub App in Datadog.
  • Update an existing GitHub App, if you have already created one in Datadog.

The permissions you grant to the GitHub App determine which GitHub integration features are available for setup.

Create and install a GitHub App

  1. In Datadog, navigate to Integrations > GitHub Applications > Add New GitHub Application.
  2. Fill out any required details, such as the GitHub organization name.
  3. Under Select Features, check the Code Security: Pull Request Review Comments box.
  4. Under Edit Permissions, verify that the Pull Requests permission is set to Read & Write.
  5. Click Create App in GitHub.
  6. Enter a name for your app, and submit it.
  7. Click Install GitHub App.
  8. Choose which repositories the app should be installed into, then click Install & Authorize.
GitHub App installation screen

Update an existing GitHub App

  1. In Datadog, navigate to Integrations > GitHub Applications, and search for the GitHub App you want to use for Code Security.
    Example of a Static Analysis comment on a pull request
  2. On the Features tab, look at the Code Security: Pull Request Comments section to determine whether your GitHub App needs additional permissions. If so, click Update permissions in GitHub to edit the app settings.
  3. Under Repository permissions, set the Pull Requests access to Read and write.
    The dropdown for the pull request read and write permission
  4. Under the Subscribe to events heading, check the Pull request box.
    The checkbox for the pull request review comment permission

Enable Code Security PR comments for your repositories

  1. In Datadog, navigate to Security > Code Security > Settings.
  2. In Enable scanning for your repositories, select Edit next to a given repository.
  3. Toggle Enable Static Analyis to on.

Note: If you are using GitHub Actions to run your scans, trigger the action on push in order for comments to appear.

Fixing a vulnerability directly from Datadog

If your GitHub app’s Pull Requests permission is set to Read & Write, one-click remediation is enabled for all Static Analysis findings with an available suggested fix.

Follow these steps to fix a vulnerability and open a pull request:

  1. Go to Code Security > Repositories.
  2. Click a repo.
  3. On the repo’s page, click the Code Vulnerabilities or Code Quality tabs.
  4. Click a violation.
  5. If a suggested fix is available for that violation, one-click remediation is available in the side panel.