Set up SCA with Generic CI Providers

This product is not supported for your selected Datadog site. ().

Use the customizable script below to install and run the scanner manually in generic CI environments, then upload results to Datadog. For GitHub Actions, GitLab CI/CD, and Azure DevOps, see the provider-specific setup instructions.

For non-GitHub repositories, if you use a custom branch name (not master, main, default, stable, source, prod, or develop), upload once, then set the default branch in Repository Settings.

Environment variables

NameDescriptionRequiredDefault
DD_API_KEYYour Datadog API key. This key is created by your Datadog organization and should be stored as a secret.Yes
DD_APP_KEYYour Datadog application key. This key is created by your Datadog organization, must include the code_analysis_read scope, and should be stored as a secret.Yes
DD_SITEThe Datadog site to send information to.Nodatadoghq.com

Prerequisites

  • Unzip
  • Node.js 14 or later

Install and run the scanner

# Set the Datadog site to send information to
export DD_SITE=""

# Install dependencies
npm install -g @datadog/datadog-ci

# Download the latest Datadog SBOM Generator:
# https://github.com/DataDog/datadog-sbom-generator/releases
DATADOG_SBOM_GENERATOR_URL=https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip

# Install Datadog SBOM Generator
mkdir /datadog-sbom-generator
curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URL
unzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator
chmod 755 /datadog-sbom-generator/datadog-sbom-generator

# Run Datadog SBOM Generator to scan your dependencies
/datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json /path/to/repository

# Upload results to Datadog
datadog-ci sbom upload /tmp/sbom.json

The snippet uses the x86_64 Linux version of Datadog’s SBOM generator. If you’re using a different OS or architecture, update the DATADOG_SBOM_GENERATOR_URL accordingly. See all releases here.