--- title: AI-Enhanced Static Code Analysis description: Automate security decision-making across the entire static analysis lifecycle breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > AI-Enhanced Static Code Analysis --- # AI-Enhanced Static Code Analysis {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} Static Code Analysis (SAST) uses AI to help automate detection, validation, and remediation across the vulnerability management lifecycle. This page provides an overview of these features. ## Summary of AI features in SAST{% #summary-of-ai-features-in-sast %} | Step of vulnerability management life cycle | Feature | Trigger Point | Impact | | ------------------------------------------- | ------------------------------------------------------------------------------------------------------ | ---------------------------------------- | ----------------------------------------------------------------------------- | | Detection | Malicious PR protection: Detect potentially malicious changes or suspicious diffs | At PR time | Flags PRs introducing novel risky code | | Detection | AI-native SAST: LLM-based taint analysis to detect security vulnerabilities with higher accuracy | At scan time (Datadog Hosted Scans only) | Identifies contextually complex vulnerabilities missed by rule-based analysis | | Validation | False positive filtering: Deprioritize low-likelihood findings | After scan | Reduce noise, allow focus on actual issues | | Remediation | Batched remediation: Generate suggested fixes (and optionally PRs) for one or multiple vulnerabilities | After scan | Reduces developer effort, accelerates fix cycle | ## Detection{% #detection %} {% callout %} ##### Join the Preview! Malicious PR protection is in Preview and supports GitHub repositories only. Click **Request Access** and complete the form. [Request Access](https://www.datadoghq.com/product-preview/malicious-pr-protection/) {% /callout %} Malicious PR protection uses LLMs to detect and prevent malicious code changes at scale. By scanning pull requests (PRs) submitted to the default branches of your repositories to detect potentially malicious intent, this functionality helps you: - Secure code changes from both internal and external contributors - Scale your code reviews as the volume of AI-assisted code changes increases - Embed code security into your security incident response workflows ### Detection coverage{% #detection-coverage %} Malicious code changes come in many different forms. Datadog SAST covers attack vectors such as: - Malicious code injection - Attempted secret exfiltration - Pushing of malicious packages - CI workflow compromise Examples include the [tj-actions/changed-files breach (March 2025)](https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction) and [obfuscation of malicious code in npm packages (September 2025)](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem). Read more in the blog post [here](https://www.datadoghq.com/blog/engineering/malicious-pull-requests/). ### Search and filter results{% #search-and-filter-results %} Detections from Datadog SAST on potentially malicious PRs can be found in [Security Signals](https://app.datadoghq.com/security) from the rule ID `def-000-wnp`. There are two potential verdicts: `malicious` and `benign`. They can be filtered for using: - `@malicious_pr_protection.scan.verdict:malicious` - `@malicious_pr_protection.scan.verdict:benign`. Signals can be triaged directly in Datadog (assign, create a case, or declare an incident), or routed externally using [Datadog Workflow Automation](https://docs.datadoghq.com/actions/workflows/). ## AI-native SAST{% #ai-native-sast %} {% callout %} ##### Join the Preview! AI-Native SAST is in Preview and is only available for Datadog-hosted Scans. {% /callout %} Datadog's AI-native SAST engine uses large language models (LLMs) to detect security vulnerabilities by reasoning about how data flows through your code. Unlike rule-based static analysis, it can identify vulnerabilities that require contextual understanding of application logic. AI-native SAST uses a two-phase approach: 1. **Detection**: An LLM scans each file and reasons about whether user-controlled data can reach a dangerous operation without being sanitized. 1. **Verification**: A second LLM independently re-evaluates each candidate finding through taint analysis, confirming or dismissing each finding to reduce false positives. ### Supported languages{% #supported-languages %} | Language | Status | | -------- | --------- | | Java | Available | | Python | Available | | Go | Available | ### Detected vulnerability types{% #detected-vulnerability-types %} {% collapsible-section open=null #ai-native-sast-cwes %} #### Supported CWEs AI-native SAST detects the following vulnerability types: - [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html) - [CWE-77: Command Injection](https://cwe.mitre.org/data/definitions/77.html) - [CWE-79: Cross-Site Scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html) - [CWE-643: XPath Injection](https://cwe.mitre.org/data/definitions/643.html) - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-502: Insecure Deserialization](https://cwe.mitre.org/data/definitions/502.html) - [CWE-327: Broken Cryptography](https://cwe.mitre.org/data/definitions/327.html) - [CWE-328: Weak Hashing](https://cwe.mitre.org/data/definitions/328.html) - [CWE-330: Weak Randomness](https://cwe.mitre.org/data/definitions/330.html) - [CWE-614: Insecure Cookie](https://cwe.mitre.org/data/definitions/614.html) - [CWE-90: LDAP Injection](https://cwe.mitre.org/data/definitions/90.html) - [CWE-94: Code Injection](https://cwe.mitre.org/data/definitions/94.html) - [CWE-501: Trust Boundary Violation](https://cwe.mitre.org/data/definitions/501.html) - [CWE-284: Broken Access Control (IDOR)](https://cwe.mitre.org/data/definitions/284.html) - [CWE-1427: Server-Side Template Injection](https://cwe.mitre.org/data/definitions/1427.html) {% /collapsible-section %} ## Validation and triage{% #validation-and-triage %} ### False positive filtering{% #false-positive-filtering %} For a subset of SAST vulnerabilities, [Bits AI](https://docs.datadoghq.com/bits_ai/) reviews the context of the finding and assesses whether it is more likely to be a true or false positive, along with a short explanation of the reasoning. To narrow down your initial list for triage, in [Vulnerabilities](https://app.datadoghq.com/security/code-security/sast), select **Filter out false positives**. This option uses the `-bitsAssessment:"False Positive"` query. Each finding includes a section with an explanation of the assessment. You can provide Bits AI with feedback on its assessment using a thumbs up 👍 or thumbs down 👎. {% image source="https://datadog-docs.imgix.net/images/code_security/static_analysis/false_positive_filtering_sast_side_panel_higher_res_png.34cd8b7d9ddc445ffdd70c4dff065277.png?auto=format" alt="Visual indicator of a false positive assessment in SAST side panel" /%} {% collapsible-section open=null #id-for-anchoring %} #### Supported CWEs False positive filtering is supported for the following CWEs: - [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html) - [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html) - [CWE-90: LDAP Injection](https://cwe.mitre.org/data/definitions/90.html) - [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html) - [CWE-501: Trust Boundary Violation](https://cwe.mitre.org/data/definitions/501.html) - [CWE-79: Cross-site Scripting](https://cwe.mitre.org/data/definitions/79.html) - [CWE-614: Insecure Cookie](https://cwe.mitre.org/data/definitions/614.html) - [CWE-327: Broken or Risky Cryptographic Algorithm](https://cwe.mitre.org/data/definitions/327.html) - [CWE-643: XPath Injection](https://cwe.mitre.org/data/definitions/643.html) - [CWE-94: Code Injection](https://cwe.mitre.org/data/definitions/94.html) - [CWE-284: Improper Access Control](https://cwe.mitre.org/data/definitions/284.html) - [CWE-502: Deserialization of Untrusted Data](https://cwe.mitre.org/data/definitions/502.html) {% /collapsible-section %} ## Remediation{% #remediation %} {% callout %} ##### Join the Preview! AI-suggested remediation for SAST is powered by the Bits AI Dev Agent and is in Preview. To sign up, click **Request Access** and complete the form. [Request Access](http://datadoghq.com/product-preview/bits-ai-dev-agent) {% /callout %} Datadog SAST uses the [Bits AI Dev Agent](https://docs.datadoghq.com/bits_ai/bits_ai_dev_agent) to generate code fixes for vulnerabilities. You can remediate individual vulnerabilities or fix multiple vulnerabilities using bulk remediation campaigns. To view and remediate vulnerabilities: 1. In Datadog, navigate to [**Security** > **Code Security** > **Vulnerabilities**](https://app.datadoghq.com/security/code-security/sast), and select **Static Code (SAST)** on the left sidebar. 1. Select a vulnerability to open a side panel with details about the finding and the affected code. 1. In the **Next Steps** > **Remediation** section, click **Fix with Bits**. - To generate a fix, select **Single fix** or **Bulk fix**. - If a fix has already been generated, select **View fix and create PR** to view the existing remediation session. ### Single fix{% #single-fix %} Use **Single fix** to open a code session for Bits AI to fix this single vulnerability. You can review the proposed diff, ask follow-up questions, edit the patch, and create a pull request to apply the remediation to your source code repository. ### Bulk fix (campaigns){% #bulk-fix-campaigns %} Use **Bulk fix** to create a remediation campaign that fixes multiple vulnerabilities at the same time. Selecting this option opens a **Create a new Bits AI Bulk Fix Campaign** modal where you can configure the following: - **Campaign title**: A descriptive title for your campaign. - **Repositories**: The repositories and paths you want Bits AI to scan. - **PR grouping options**: How Bits AI should group findings into pull requests (for example, one PR per repository, file, or finding). You can also limit the number of open PRs and the number of findings per PR. - **Custom instructions** (optional): Additional guidance for how Bits AI should generate fixes, such as changelog requirements or pull request title formatting. After you create a campaign, Bits AI Dev Agent loads the in-scope findings, generates patches based on your grouping rules, and (if enabled) creates pull requests. You can review and edit each session before merging changes. {% alert level="info" %} - Automatic PR creation is disabled by default. Enable it in [Settings](https://app.datadoghq.com/code/settings). - Campaigns do not track fixes created outside the campaign. If you generate a single fix and later create a campaign, Bits AI may generate the same fix again. {% /alert %} #### View campaign progress{% #view-campaign-progress %} To view all campaigns, navigate to [**Bits AI** > **Dev Agent** > **Code Sessions** > **Campaigns**](https://app.datadoghq.com/code/campaigns). Click a campaign to view details including session status, pull requests by repository, and remediated findings. You can click on individual sessions to review, edit, and merge fixes with the [Bits AI Dev Agent](https://docs.datadoghq.com/bits_ai/bits_ai_dev_agent). {% image source="https://datadog-docs.imgix.net/images/code_security/static_analysis/campaigner-hero-image.125faebd3695c46c7cf75148a58c4a31.png?auto=format" alt="Campaigns page in Bits AI Dev Agent" /%} ### Remediation session details{% #remediation-session-details %} Each code session shows the life cycle of an AI-generated fix so you can review and validate changes before merging. It includes: - The original security finding and proposed code change - An explanation of how and why the AI generated the fix - CI results (if enabled) to validate the patch is safe to deploy - Options to refine the fix or **Create PR** to apply the changes to your source code repository To open the remediation session, select the vulnerability from the [**Vulnerabilities**](https://app.datadoghq.com/security/code-security/sast) page to open the side panel, scroll to the **Remediation** section, and select **Expand & Chat**. You can also navigate to remediation sessions through the [**Campaigns**](https://app.datadoghq.com/code/campaigns) and [**Code Sessions**](https://app.datadoghq.com/code) views. {% image source="https://datadog-docs.imgix.net/images/code_security/static_analysis/single-session-sql-injection-fix-light-png.f475a05b24289a8722d0eb0578d183a3.png?auto=format" alt="Concluded remediation session in Bits AI Dev Agent showing generated fixes and pull request options" /%} ## Further reading{% #further-reading %} - [Log processing pipelines](https://docs.datadoghq.com/logs/processing/pipelines) - [Using LLMs to filter out false positives from static code analysis](https://www.datadoghq.com/blog/using-llms-to-filter-out-false-positives)