--- title: Set up SCA with GitHub Actions description: >- Use Datadog Software Composition Analysis with GitHub Actions to detect vulnerabilities in open-source libraries. breadcrumbs: >- Docs > Datadog Security > Code Security > Software Composition Analysis > Set up SCA in your repositories > Set up SCA with GitHub Actions --- # Set up SCA with GitHub Actions {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} Run a Datadog Software Composition Analysis (SCA) job in your GitHub Actions workflows. The action invokes Datadog's recommended SBOM tool, [Datadog SBOM Generator](https://github.com/DataDog/datadog-sbom-generator), on your codebase and uploads the results to Datadog. {% alert level="danger" %} Datadog Software Composition Analysis CI jobs are only supported on `push` event triggers. Other event triggers (for example, `pull_request`) are not supported and can cause issues with the product. {% /alert %} ## Inputs{% #inputs %} You can set the following parameters for Software Composition Analysis. | Name | Description | Required | Default | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------- | | `dd_api_key` | Your Datadog API key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/) and should be stored as a [secret](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). | Yes | | `dd_app_key` | Your Datadog application key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/), should include the `code_analysis_read` scope, and should be stored as a [secret](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). | Yes | | `dd_site` | The [Datadog site](https://docs.datadoghq.com/getting_started/site/) to send information to. | No | `datadoghq.com` | ## Set up the workflow{% #set-up-the-workflow %} Create a file at `.github/workflows/datadog-sca.yml` with the following content. Replace the `dd_site` attribute with the [Datadog site](https://docs.datadoghq.com/getting_started/site/) you are using. In the `datadog-sca.yml` file: ```yaml on: [push] name: Datadog Software Composition Analysis jobs: software-composition-analysis: runs-on: ubuntu-latest name: Datadog SBOM Generation and Upload steps: - name: Checkout uses: actions/checkout@v3 - name: Check imported libraries are secure and compliant id: datadog-software-composition-analysis uses: DataDog/datadog-sca-github-action@main with: dd_api_key: ${{ secrets.DD_API_KEY }} dd_app_key: ${{ secrets.DD_APP_KEY }} dd_site: "datadoghq.com" ``` ## Related GitHub Actions{% #related-github-actions %} To analyze first-party code, use [Datadog Static Code Analysis (SAST)](https://docs.datadoghq.com/getting_started/code_security/?tab=datadoghosted#linking-services-to-code-violations-and-libraries) with the [`datadog-static-analyzer-github-action`](https://github.com/DataDog/datadog-static-analyzer-github-action).