--- title: Set up SCA with Generic CI Providers description: >- Use Datadog Software Composition Analysis with any CI provider to detect vulnerabilities in open-source libraries. breadcrumbs: >- Docs > Datadog Security > Code Security > Software Composition Analysis > Set up SCA in your repositories > Set up SCA with Generic CI Providers --- # Set up SCA with Generic CI Providers {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} Use the customizable script below to install and run the scanner manually in generic CI environments, then upload results to Datadog. For GitHub Actions, GitLab CI/CD, and Azure DevOps, see the provider-specific setup instructions. {% alert level="info" %} For non-GitHub repositories, if you use a custom branch name (not master, main, default, stable, source, prod, or develop), upload once, then set the default branch in [Repository Settings](https://app.datadoghq.com/source-code/repositories). {% /alert %} ## Environment variables{% #environment-variables %} | Name | Description | Required | Default | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------- | | `DD_API_KEY` | Your Datadog API key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/) and should be stored as a secret. | Yes | | `DD_APP_KEY` | Your Datadog application key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/), must include the `code_analysis_read` scope, and should be stored as a secret. | Yes | | `DD_SITE` | The [Datadog site](https://docs.datadoghq.com/getting_started/site/) to send information to. | No | `datadoghq.com` | ## Prerequisites{% #prerequisites %} - Unzip - Node.js 14 or later ## Install and run the scanner{% #install-and-run-the-scanner %} ```bash # Set the Datadog site to send information to export DD_SITE="" # Install dependencies npm install -g @datadog/datadog-ci # Download the latest Datadog SBOM Generator: # https://github.com/DataDog/datadog-sbom-generator/releases DATADOG_SBOM_GENERATOR_URL=https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip # Install Datadog SBOM Generator mkdir /datadog-sbom-generator curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URL unzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator chmod 755 /datadog-sbom-generator/datadog-sbom-generator # Run Datadog SBOM Generator to scan your dependencies /datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json /path/to/repository # Upload results to Datadog datadog-ci sbom upload /tmp/sbom.json ``` The snippet uses the x86_64 Linux version of Datadog's SBOM generator. If you're using a different OS or architecture, update the `DATADOG_SBOM_GENERATOR_URL` accordingly. See all releases [here](https://github.com/DataDog/datadog-sbom-generator/releases).