---
title: Tools Reference
description: >-
  Detailed reference for all tools available in the Datadog Code Security MCP
  Server, including parameters, required binaries, and output formats.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Developer Tool Integrations > Code
  Security MCP Server > Tools Reference
---

# Tools Reference

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

The [Datadog Code Security MCP Server](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/) exposes the following tools for AI coding assistants and CLI usage. Each tool wraps one or more Datadog security binaries and accepts file paths or directories to scan.

{% alert level="info" %}
This MCP server is separate from the [Datadog MCP Server](https://docs.datadoghq.com/bits_ai/mcp_server), which provides cloud-based access to Datadog features and data. The Code Security MCP Server runs locally and focuses on code-level security scanning.
{% /alert %}

## `datadog_secrets_scan`{% #datadog_secrets_scan %}

Detect hardcoded credentials, API keys, passwords, and tokens in source code and configuration files.

### Parameters{% #parameters %}

| Parameter     | Type            | Required | Description                                 |
| ------------- | --------------- | -------- | ------------------------------------------- |
| `file_paths`  | `array[string]` | Yes      | File paths or directories to scan           |
| `working_dir` | `string`        | No       | Base directory for resolving relative paths |

### Required binary{% #required-binary %}

`datadog-static-analyzer`

## `datadog_sca_scan`{% #datadog_sca_scan %}

Run SCA to detect known vulnerabilities (CVEs) in your project's dependencies. This tool performs a two-step process:

1. Generates a Software Bill of Materials (SBOM) from the specified directories.
1. Scans the SBOM for known vulnerabilities using Datadog's vulnerability database.

### Parameters{% #parameters-1 %}

| Parameter     | Type            | Required | Description                                 |
| ------------- | --------------- | -------- | ------------------------------------------- |
| `file_paths`  | `array[string]` | Yes      | Directories to scan for dependencies        |
| `working_dir` | `string`        | No       | Base directory for resolving relative paths |

### Output{% #output %}

Vulnerabilities with CVE ID, severity, affected component, version, and description.

### Required binaries{% #required-binaries %}

`datadog-sbom-generator`, `datadog-security-cli`

## `datadog_iac_scan`{% #datadog_iac_scan %}

Detect misconfigurations, compliance issues, and security vulnerabilities in IaC files.

### Parameters{% #parameters-2 %}

| Parameter     | Type            | Required | Description                                 |
| ------------- | --------------- | -------- | ------------------------------------------- |
| `file_paths`  | `array[string]` | Yes      | Directories containing IaC files to scan    |
| `working_dir` | `string`        | No       | Base directory for resolving relative paths |

### Output{% #output-1 %}

Security findings with severity, rule, file location, and remediation guidance.

### Required binary{% #required-binary-1 %}

`datadog-iac-scanner`

### Supported IaC formats{% #supported-iac-formats %}

- Terraform
- CloudFormation
- Kubernetes manifests
- Dockerfiles
- GitHub Actions

## `datadog_generate_sbom`{% #datadog_generate_sbom %}

Generate a comprehensive SBOM listing all software components, dependencies, versions, and licenses in a repository.

### Parameters{% #parameters-3 %}

| Parameter     | Type     | Required | Description                                                                |
| ------------- | -------- | -------- | -------------------------------------------------------------------------- |
| `path`        | `string` | No       | Path to repository or directory to analyze (defaults to current directory) |
| `working_dir` | `string` | No       | Base directory for the scan (defaults to current directory)                |

### Output{% #output-2 %}

JSON containing a summary (total components, breakdown by language/package manager, license statistics) and a detailed component list (name, version, type, license, package URL).

### Supported package managers{% #supported-package-managers %}

| Language   | Package managers                          |
| ---------- | ----------------------------------------- |
| .NET       | NuGet                                     |
| C++        | Conan                                     |
| Go         | Go modules                                |
| Java       | Gradle, Maven                             |
| JavaScript | npm, pnpm, Yarn                           |
| PHP        | Composer                                  |
| Python     | pdm, pipenv, poetry, requirements.txt, uv |
| Ruby       | Bundler                                   |
| Rust       | Cargo                                     |

{% alert level="info" %}
If the repository uses a package manager not listed above, or if the tool returns 0 components, the AI assistant can perform manual SBOM generation by reading lock files (`package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `Gemfile.lock`, `Cargo.lock`, `composer.lock`, etc.) and extracting dependencies directly.
{% /alert %}

## Further Reading{% #further-reading %}

- [Code Security MCP Server overview and setup](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/)
- [Troubleshooting the Code Security MCP Server](https://docs.datadoghq.com/security/code_security/dev_tool_int/mcp_server/troubleshooting/)