Static Analysis (SAST)

Docs > Datadog Security > Code Security > Static Analysis (SAST)

Overview

Static Code Analysis is Datadog’s Static Application Security Testing (SAST) capability. SAST is a clear-box software testing technique that analyzes a program’s pre-production code without the need to execute the program, meaning that the program is static because it isn’t running.

Static Code Analysis helps you identify security vulnerabilities and maintainability issues early in the software development life cycle (SDLC) to ensure only the highest quality, most secure code makes it to production.

Using Static Code Analysis provides organizations with the following benefits:

Applications are less vulnerable to security breaches over time, due to new vulnerabilities being caught through SAST scans before code reaches production.
Takes the guesswork out of adhering to an organization’s code standards, enabling your development team to ship compliant code without significant impacts to developer velocity.
Onboard developers faster because Static Code Analysis enables an organization to maintain a more readable codebase over time.

Set up Static Code Analysis

Static Code Analysis supports scanning for security vulnerabilities and poor coding practices in the following languages and technologies:

To get started, you can set up Static Code Analysis on the Code Security page or see the Setup documentation.

Integrate Static Analysis into your development lifecycle

CI providers

You can run Static Analysis on any CI platform provider of your choice. See provider-specific documentation to set up Static Code Analysis in your CI pipelines:

CircleCI Orbs

GitHub Actions

Other CI Providers

Source code management

During code reviews on GitHub, Datadog can automatically flag Static Analysis violations in pull requests by adding inline review comments on the relevant line(s) of code. When applicable, Datadog also provides suggested fixes that can be applied directly in the pull request. You can also open a pull request directly from Datadog to fix a vulnerability or quality issue.

GitHub Pull Requests

IDEs

You can identify code vulnerabilities in real time as you edit a file in your Integrated Development Environment (IDE). See integration-specific documentation for more information:

Datadog Plugin for JetBrains IDEs

Datadog Extension for Visual Studio Code

Datadog Extension for Visual Studio

Search and filter results

After you configure your CI pipelines to run the Datadog static analyzer, violations are summarized per repository on the Code Security Repositories page. Click on a repository to analyze Code Vulnerabilities and Code Quality results from Static Code Analysis.

The Code Vulnerabilities tab contains the violations found by Datadog’s rules in the Security category.
The Code Quality tab contains the violations found by Datadog’s rules in the Best Practices, Code Style, Error Prone, or Performance categories.

To filter your results, use the facets to the left of the list, or search. Results can be filtered by service or team facets. For more information about how results are linked to Datadog services and teams, see Getting Started with Code Security.

Every row represents a violation. Each violation is associated with the specific commit and branch that is selected in the filters at the top of the page (by default, results are shown for the latest commit on the default branch of the repository you are viewing).

Click on a violation to open a side panel that contains information about the scope of the violation and where it originated.

The content of the violation is shown in tabs:

Details: A description of the violation and the lines of code that caused it. To see the offending code snippet, configure the Datadog GitHub App.
Remediation: One or more code fixes that can resolve the violation, with options for remediation.
Event: JSON metadata regarding the Static Analysis violation event.

Using suggested fixes

In Datadog Static Analysis, there are two types of suggested fixes:

Default Suggested Fix: For simple violations like linting issues, the rule analyzer automatically provides templated fixes.
AI Suggested Fix: For complex violations, fixes are typically not available beforehand. Instead, you can use AI Suggested Fixes, which use OpenAI’s GPT-4 to generate a suggested fix. You can choose between “Text” and “Unified Diff” fixes, which outputs plain text instructions or a code change for resolving the violation, respectively.

The two types of fixes are distinguished visually in the UI with different labels.

Default Suggested Fixes
AI Suggested Fixes

Fixing a vulnerability or quality issue directly from Datadog

You can push a code change to fix an issue found by Static Code Analysis directly from a result in Datadog in two ways.

Opening a pull request

If your GitHub app’s Pull Requests permission is set to Read & Write, one-click remediation is enabled for all Static Code Analysis findings with an available suggested fix. For more information about setting up the GitHub integration, see GitHub Pull Requests.

Follow these steps to fix a vulnerability and open a pull request:

View a specific SAST result in Code Security.
Click Fix Violation in the side panel of the result.
Select Open a Pull Request.
Enter a pull request title and commit message.
Click Create PR.

Committing directly to the current branch

You can also fix a vulnerability by committing directly to the branch the result was found on.

To commit a suggested fix:

View a specific SAST result in Code Security.
Click Fix Violation in the side panel of the result.
Click Commit to current branch.

Customizing your configuration

To customize which Static Analysis rules are configured in your repositories, see the Setup documentation.

Reporting false positives

If you believe a specific violation is a false positive, you can flag it as a false positive with a reason for flagging, which sends a report to Datadog. Submissions are reviewed on a regular basis to improve ruleset quality over time.