This product is not supported for your selected
Datadog site. (
).
The Datadog Code Security MCP Server exposes the following tools for AI coding assistants and CLI usage. Each tool wraps one or more Datadog security binaries and accepts file paths or directories to scan.
This MCP server is separate from the
Datadog MCP Server, which provides cloud-based access to Datadog features and data. The Code Security MCP Server runs locally and focuses on code-level security scanning.
datadog_code_security_scan
Run a comprehensive security scan combining Static Application Security Testing (SAST), secrets detection, Software Composition Analysis (SCA), and Infrastructure-as-Code (IaC) scanning. All scan types execute in parallel for maximum performance.
Parameters
| Parameter | Type | Required | Description |
|---|
file_paths | array[string] | Yes | File paths or directories to scan (relative to working_dir) |
working_dir | string | No | Base directory for resolving relative paths (defaults to current directory) |
Required binaries
datadog-static-analyzer, datadog-sbom-generator, datadog-security-cli, datadog-iac-scanner
datadog_sast_scan
Run SAST to detect security vulnerabilities in source code, such as SQL injection, XSS, path traversal, and insecure cryptography.
Parameters
| Parameter | Type | Required | Description |
|---|
file_paths | array[string] | Yes | File paths or directories to scan |
working_dir | string | No | Base directory for resolving relative paths |
Required binary
datadog-static-analyzer
datadog_secrets_scan
Detect hardcoded credentials, API keys, passwords, and tokens in source code and configuration files.
Parameters
| Parameter | Type | Required | Description |
|---|
file_paths | array[string] | Yes | File paths or directories to scan |
working_dir | string | No | Base directory for resolving relative paths |
Required binary
datadog-static-analyzer
datadog_sca_scan
Run SCA to detect known vulnerabilities (CVEs) in your project’s dependencies. This tool performs a two-step process:
- Generates a Software Bill of Materials (SBOM) from the specified directories.
- Scans the SBOM for known vulnerabilities using Datadog’s vulnerability database.
Parameters
| Parameter | Type | Required | Description |
|---|
file_paths | array[string] | Yes | Directories to scan for dependencies |
working_dir | string | No | Base directory for resolving relative paths |
Output
Vulnerabilities with CVE ID, severity, affected component, version, and description.
Required binaries
datadog-sbom-generator, datadog-security-cli
datadog_iac_scan
Detect misconfigurations, compliance issues, and security vulnerabilities in IaC files.
Parameters
| Parameter | Type | Required | Description |
|---|
file_paths | array[string] | Yes | Directories containing IaC files to scan |
working_dir | string | No | Base directory for resolving relative paths |
Output
Security findings with severity, rule, file location, and remediation guidance.
Required binary
datadog-iac-scanner
- Terraform
- CloudFormation
- Kubernetes manifests
- Dockerfiles
- GitHub Actions
datadog_generate_sbom
Generate a comprehensive SBOM listing all software components, dependencies, versions, and licenses in a repository.
Parameters
| Parameter | Type | Required | Description |
|---|
path | string | No | Path to repository or directory to analyze (defaults to current directory) |
working_dir | string | No | Base directory for the scan (defaults to current directory) |
Output
JSON containing a summary (total components, breakdown by language/package manager, license statistics) and a detailed component list (name, version, type, license, package URL).
Supported package managers
| Language | Package managers |
|---|
| .NET | NuGet |
| C++ | Conan |
| Go | Go modules |
| Java | Gradle, Maven |
| JavaScript | npm, pnpm, Yarn |
| PHP | Composer |
| Python | pdm, pipenv, poetry, requirements.txt, uv |
| Ruby | Bundler |
| Rust | Cargo |
If the repository uses a package manager not listed above, or if the tool returns 0 components, the AI assistant can perform manual SBOM generation by reading lock files (package.json, requirements.txt, go.mod, pom.xml, Gemfile.lock, Cargo.lock, composer.lock, etc.) and extracting dependencies directly.
Further Reading
Additional helpful documentation, links, and articles:
