---
title: Code Security MCP Server
description: >-
  Use the Datadog Code Security MCP server to run SAST, secrets detection, SCA,
  IaC scanning, and SBOM generation directly from your AI coding assistant.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Developer Tool Integrations > Code
  Security MCP Server
---

# Code Security MCP Server

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

{% callout %}
##### Preview

Datadog Code Security MCP Server is in Preview.
{% /callout %}

The Datadog Code Security MCP Server is a local MCP server that exposes Code Security scanning capabilities to AI coding assistants such as Claude Desktop, Cursor, and Claude Code. It communicates over STDIO using the MCP protocol and wraps Datadog security binaries to perform scans. It can also be used as a CLI tool.

{% alert level="info" %}
This MCP server is separate from the [Datadog MCP Server](https://docs.datadoghq.com/bits_ai/mcp_server), which provides cloud-based access to Datadog features and data. The Code Security MCP Server runs locally and focuses on code-level security scanning.
{% /alert %}

## Available tools{% #available-tools %}

The MCP server exposes the following tools that AI coding assistants can call to run security scans on your codebase:

| Tool                                                                                                                                        | Description                              | Auth Required |
| ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------- |
| [`datadog_secrets_scan`](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/tools_reference/#datadog_secrets_scan)   | Hardcoded secrets detection              | Yes           |
| [`datadog_sca_scan`](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/tools_reference/#datadog_sca_scan)           | Dependency vulnerability scanning (CVEs) | Yes           |
| [`datadog_iac_scan`](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/tools_reference/#datadog_iac_scan)           | Infrastructure-as-Code security scanning | Yes           |
| [`datadog_generate_sbom`](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/tools_reference/#datadog_generate_sbom) | Software Bill of Materials generation    | No            |

For detailed parameters, required binaries, and output formats for each tool, see the [Tools Reference](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/tools_reference/).

## Setup{% #setup %}

### Prerequisites{% #prerequisites %}

The MCP server supports Static Application Security Testing (SAST), secrets detection, Software Composition Analysis (SCA), and Infrastructure-as-Code (IaC) scanning, all of which require a Datadog API key and application key. For instructions on creating them, see [API and Application Keys](https://docs.datadoghq.com/account_management/api-app-keys/).

### Install the MCP server{% #install-the-mcp-server %}

The MCP server is available on the following platforms:

| Platform | Architectures    |
| -------- | ---------------- |
| macOS    | `amd64`, `arm64` |
| Linux    | `amd64`, `arm64` |
| Windows  | `amd64`          |

#### Homebrew (recommended){% #homebrew-recommended %}

```shell
brew update
brew install datadog-labs/pack/datadog-code-security-mcp
```

#### GitHub releases{% #github-releases %}

```shell
curl -L "https://github.com/datadog-labs/datadog-code-security-mcp/releases/latest/download/datadog-code-security-mcp-$(uname -s | tr '[:upper:]' '[:lower:]')-$(uname -m).tar.gz" | tar xz
sudo install -m 755 datadog-code-security-mcp /usr/local/bin/
```

Run the following command to verify the installation:

```shell
datadog-code-security-mcp version
```

### Install security binaries{% #install-security-binaries %}

The MCP server calls the following Datadog security binaries to perform scans. Install the ones you need for the scan types you want to use:

| Binary                    | Used For      | Install Method                                                                |
| ------------------------- | ------------- | ----------------------------------------------------------------------------- |
| `datadog-static-analyzer` | SAST, Secrets | `brew install datadog-static-analyzer`                                        |
| `datadog-sbom-generator`  | SBOM, SCA     | [GitHub releases](https://github.com/DataDog/datadog-sbom-generator/releases) |
| `datadog-security-cli`    | SCA           | `brew install --cask datadog/tap/datadog-security-cli`                        |
| `datadog-iac-scanner`     | IaC           | [GitHub releases](https://github.com/DataDog/datadog-iac-scanner/releases)    |

{% alert level="info" %}
`datadog-sbom-generator` and `datadog-security-cli` are not available on Windows. `datadog-iac-scanner` is not available on macOS `amd64`.
{% /alert %}

### Configure your client{% #configure-your-client %}

Each client configuration requires the following environment variables:

| Variable     | Required | Description                                                                                         |
| ------------ | -------- | --------------------------------------------------------------------------------------------------- |
| `DD_API_KEY` | Yes*     | Your [Datadog API key](https://docs.datadoghq.com/account_management/api-app-keys/)                 |
| `DD_APP_KEY` | Yes*     | Your [Datadog application key](https://docs.datadoghq.com/account_management/api-app-keys/)         |
| `DD_SITE`    | No       | Your [Datadog site](https://docs.datadoghq.com/getting_started/site/) (defaults to `datadoghq.com`) |

\*Required for SAST, Secrets, SCA, and IaC scanning. SBOM generation works without authentication.

{% tab title="Claude Code" %}
Use the Claude CLI to add the MCP server:

```shell
claude mcp add datadog-code-security \
  -e DD_API_KEY=<your-api-key> \
  -e DD_APP_KEY=<your-app-key> \
  -e DD_SITE=datadoghq.com \
  -- datadog-code-security-mcp start
```

Verify the configuration:

```shell
claude mcp list | grep datadog-code-security
```

{% /tab %}

{% tab title="Claude Desktop" %}
Add the following to your Claude Desktop configuration file:

- **macOS:** `~/Library/Application Support/Claude/claude_desktop_config.json`
- **Windows:** `%APPDATA%\Claude\claude_desktop_config.json`

```json
{
    "mcpServers": {
        "datadog-code-security": {
            "command": "datadog-code-security-mcp",
            "args": ["start"],
            "env": {
                "DD_API_KEY": "<your-api-key>",
                "DD_APP_KEY": "<your-app-key>",
                "DD_SITE": "datadoghq.com"
            }
        }
    }
}
```

{% /tab %}

{% tab title="Cursor" %}
Add the following to your Cursor MCP settings (`~/.cursor/mcp.json`):

```json
{
    "mcpServers": {
        "datadog-code-security": {
            "command": "datadog-code-security-mcp",
            "args": ["start"],
            "env": {
                "DD_API_KEY": "<your-api-key>",
                "DD_APP_KEY": "<your-app-key>",
                "DD_SITE": "datadoghq.com"
            }
        }
    }
}
```

{% /tab %}

{% tab title="VS Code" %}
Add the following to your VS Code settings (`.vscode/settings.json` or user settings):

```json
{
    "mcp": {
        "servers": {
            "datadog-code-security": {
                "command": "datadog-code-security-mcp",
                "args": ["start"],
                "env": {
                    "DD_API_KEY": "<your-api-key>",
                    "DD_APP_KEY": "<your-app-key>",
                    "DD_SITE": "datadoghq.com"
                }
            }
        }
    }
}
```

{% /tab %}

{% tab title="Other" %}
For any other MCP-compatible client, use the following configuration pattern:

- **Command:** `datadog-code-security-mcp`
- **Arguments:** `["start"]`
- **Transport:** STDIO
- **Environment variables:** `DD_API_KEY`, `DD_APP_KEY`, `DD_SITE`

{% /tab %}

## Usage examples{% #usage-examples %}

### AI assistant prompts{% #ai-assistant-prompts %}

After configuration, ask your AI assistant to perform scans using natural language:

| Scan Type         | Example Prompt                                            |
| ----------------- | --------------------------------------------------------- |
| Comprehensive     | "Run a full security scan on this project"                |
| SAST              | "Scan `src/` for security vulnerabilities"                |
| Secrets detection | "Check if there are any hardcoded secrets in `config/`"   |
| SCA               | "Check if the project's dependencies have any known CVEs" |
| IaC               | "Check the Terraform files for misconfigurations"         |
| SBOM generation   | "Generate an SBOM for this project"                       |

### CLI commands{% #cli-commands %}

The MCP server can also be used directly as a CLI tool.

Run a comprehensive scan across all scan types:

```shell
datadog-code-security-mcp scan all ./src
```

Run individual scan types:

```shell
datadog-code-security-mcp scan sast ./src
datadog-code-security-mcp scan secrets ./config
datadog-code-security-mcp scan sca ./
datadog-code-security-mcp scan iac ./terraform
```

Generate an SBOM:

```shell
datadog-code-security-mcp generate-sbom .
```

Add `--json` to any command for JSON output:

```shell
datadog-code-security-mcp scan all ./src --json
datadog-code-security-mcp generate-sbom . --json
```

## Further Reading{% #further-reading %}

- [Identify common security risks in MCP servers](https://www.datadoghq.com/blog/monitor-mcp-servers/)
- [Datadog MCP Server for cloud-based access to Datadog features](https://docs.datadoghq.com/bits_ai/mcp_server)