---
title: Set up SCA with GitLab CI/CD
description: >-
  Use Datadog Software Composition Analysis with GitLab CI/CD to detect
  vulnerabilities in open-source libraries.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Software Composition Analysis > Set
  up SCA in your repositories > Set up SCA with GitLab CI/CD
---

# Set up SCA with GitLab CI/CD

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

Run a Datadog Software Composition Analysis (SCA) job in your GitLab CI/CD pipelines.

{% alert level="danger" %}
Datadog Software Composition Analysis CI jobs are only supported on `push` event triggers. Other event triggers (for example, `pull_request`) are not supported and can cause issues with the product.
{% /alert %}

## Environment variables{% #environment-variables %}

Configure the following environment variables in your GitLab CI/CD settings.

| Name         | Description                                                                                                                                                                                                                   | Required | Default         |
| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------- |
| `DD_API_KEY` | Your Datadog API key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/) and should be stored as a secret.                                                       | Yes      |
| `DD_APP_KEY` | Your Datadog application key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/), must include the `code_analysis_read` scope, and should be stored as a secret. | Yes      |
| `DD_SITE`    | The [Datadog site](https://docs.datadoghq.com/getting_started/site/) to send information to.                                                                                                                                  | No       | `datadoghq.com` |

## Set up the pipeline{% #set-up-the-pipeline %}

Add the following to your `.gitlab-ci.yml` file, or place it in an [`include`](https://docs.gitlab.com/ci/yaml/#include) section.

In the `.gitlab-ci.yml` file:

```yaml
# Ensure stages definition is only defined in the root .gitlab-ci.yml file.
stages:
  - software_composition_analysis

variables:
  DD_SITE: "datadoghq.com"
  DD_APP_KEY: "$DD_APP_KEY"
  DD_API_KEY: "$DD_API_KEY"

datadog_software_composition_analysis:
  stage: software_composition_analysis
  image: node:lts
  script:
    - apt-get update && apt-get install -y curl unzip
    - npm install -g @datadog/datadog-ci
    - export DATADOG_SBOM_GENERATOR_URL="https://github.com/DataDog/datadog-sbom-generator/releases/latest/download/datadog-sbom-generator_linux_amd64.zip"
    - mkdir -p /datadog-sbom-generator
    - curl -L -o /datadog-sbom-generator/datadog-sbom-generator.zip $DATADOG_SBOM_GENERATOR_URL
    - unzip /datadog-sbom-generator/datadog-sbom-generator.zip -d /datadog-sbom-generator
    - chmod 755 /datadog-sbom-generator/datadog-sbom-generator
    # Scanning the current repository; adjust the scan directory as needed.
    - /datadog-sbom-generator/datadog-sbom-generator scan --output=/tmp/sbom.json .
    - datadog-ci sbom upload /tmp/sbom.json
```

The snippet uses the x86_64 Linux version of Datadog's SBOM generator. If you're using a different OS or architecture, update the `DATADOG_SBOM_GENERATOR_URL` accordingly.