---
title: AI-Enhanced Static Code Analysis
description: Automate security decision-making across the entire static analysis lifecycle
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) >
  AI-Enhanced Static Code Analysis
---

# AI-Enhanced Static Code Analysis

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

Static Code Analysis (SAST) uses AI to help automate detection, validation, and remediation across the vulnerability management lifecycle. This page provides an overview of these features.

## Summary of AI features in SAST{% #summary-of-ai-features-in-sast %}

| Step of vulnerability management life cycle | Feature                                                                                                            | Trigger Point                            | Impact                                                                        |
| ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | ---------------------------------------- | ----------------------------------------------------------------------------- |
| Detection                                   | Malicious PR protection: Detect potentially malicious changes or suspicious diffs                                  | At PR time                               | Flags PRs introducing novel risky code                                        |
| Detection                                   | AI-native SAST: LLM-based taint analysis to detect security vulnerabilities with higher accuracy                   | At scan time (Datadog Hosted Scans only) | Identifies contextually complex vulnerabilities missed by rule-based analysis |
| Validation                                  | False positive filtering: Deprioritize low-likelihood findings                                                     | After scan                               | Reduce noise, allow focus on actual issues                                    |
| Remediation                                 | Automated remediation: Generate suggested fixes (and optionally PRs) for vulnerabilities manually or automatically | After scan                               | Reduces developer effort, accelerates fix cycle                               |

## Detection{% #detection %}

{% callout %}
# Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu, ap1.datadoghq.com, ap2.datadoghq.com

{% callout %}
##### Join the Preview!

Malicious PR protection is in Preview and supports GitHub repositories only. Click **Request Access** and complete the form.

[Request Access](https://www.datadoghq.com/product-preview/malicious-pr-protection/)
{% /callout %}

{% /callout %}

Malicious PR protection uses LLMs to detect and prevent malicious code changes at scale. By scanning pull requests (PRs) submitted to the default branches of your repositories to detect potentially malicious intent, this functionality helps you:

- Secure code changes from both internal and external contributors
- Scale your code reviews as the volume of AI-assisted code changes increases
- Embed code security into your security incident response workflows

### Detection coverage{% #detection-coverage %}

Malicious code changes come in many different forms. Datadog SAST covers attack vectors such as:

- Malicious code injection
- Attempted secret exfiltration
- Pushing of malicious packages
- CI workflow compromise

Examples include the [tj-actions/changed-files breach (March 2025)](https://www.cisa.gov/news-events/alerts/2025/03/18/supply-chain-compromise-third-party-tj-actionschanged-files-cve-2025-30066-and-reviewdogaction) and [obfuscation of malicious code in npm packages (September 2025)](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem). Read more in the blog post [here](https://www.datadoghq.com/blog/engineering/malicious-pull-requests/).

### Search and filter results{% #search-and-filter-results %}

Detections from Datadog SAST on potentially malicious PRs can be found in [Security Signals](https://app.datadoghq.com/security) from the rule ID `def-000-wnp`.

There are two potential verdicts: `malicious` and `benign`. They can be filtered for using:

- `@malicious_pr_protection.scan.verdict:malicious`
- `@malicious_pr_protection.scan.verdict:benign`.

Signals can be triaged directly in Datadog (assign, create a case, or declare an incident), or routed externally using [Datadog Workflow Automation](https://docs.datadoghq.com/actions/workflows.md).

## AI-native SAST{% #ai-native-sast %}

{% callout %}
# Important note for users on the following Datadog sites: app.datadoghq.com, us3.datadoghq.com, us5.datadoghq.com, app.datadoghq.eu, ap1.datadoghq.com, ap2.datadoghq.com

{% callout %}
##### Join the Preview!

AI-Native SAST is in Preview and is only available for Datadog-hosted Scans.
{% /callout %}

{% /callout %}

Datadog's AI-native SAST engine uses large language models (LLMs) to detect security vulnerabilities by reasoning about how data flows through your code. Unlike rule-based static analysis, it can identify vulnerabilities that require contextual understanding of application logic.

AI-native SAST uses a two-phase approach:

1. **Detection**: An LLM scans each file and reasons about whether user-controlled data can reach a dangerous operation without being sanitized.
1. **Verification**: A second LLM independently re-evaluates each candidate finding through taint analysis, confirming or dismissing each finding to reduce false positives.

### Supported languages{% #supported-languages %}

| Language   | Status    |
| ---------- | --------- |
| Java       | Available |
| Python     | Available |
| Go         | Available |
| C#         | Available |
| JavaScript | Available |

### Detected vulnerability types{% #detected-vulnerability-types %}

{% collapsible-section open=null #ai-native-sast-cwes %}
#### Supported CWEs

AI-native SAST detects the following vulnerability types:

- [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)

- [CWE-77: Command Injection](https://cwe.mitre.org/data/definitions/77.html)

- [CWE-79: Cross-Site Scripting (XSS)](https://cwe.mitre.org/data/definitions/79.html)

- [CWE-643: XPath Injection](https://cwe.mitre.org/data/definitions/643.html)

- [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html)

- [CWE-502: Insecure Deserialization](https://cwe.mitre.org/data/definitions/502.html)

- [CWE-327: Broken Cryptography](https://cwe.mitre.org/data/definitions/327.html)

- [CWE-328: Weak Hashing](https://cwe.mitre.org/data/definitions/328.html)

- [CWE-330: Weak Randomness](https://cwe.mitre.org/data/definitions/330.html)

- [CWE-614: Insecure Cookie](https://cwe.mitre.org/data/definitions/614.html)

- [CWE-90: LDAP Injection](https://cwe.mitre.org/data/definitions/90.html)

- [CWE-94: Code Injection](https://cwe.mitre.org/data/definitions/94.html)

- [CWE-501: Trust Boundary Violation](https://cwe.mitre.org/data/definitions/501.html)

- [CWE-284: Broken Access Control (IDOR)](https://cwe.mitre.org/data/definitions/284.html)

- [CWE-1427: Prompt Injection](https://cwe.mitre.org/data/definitions/1427.html)

{% /collapsible-section %}

## Validation and triage{% #validation-and-triage %}

### False positive filtering{% #false-positive-filtering %}

[Bits AI](https://docs.datadoghq.com/bits_ai.md) reviews the context of each SAST finding and assesses whether it is more likely to be a true or false positive, along with a short explanation of the reasoning.

To narrow down your initial list for triage, in [Vulnerabilities](https://app.datadoghq.com/security/code-security/sast), turn on the **Filter out false positives** toggle. This option uses the `-bitsAssessment:"False Positive"` query.

Each finding includes a section with an explanation of the assessment. You can provide Bits AI with feedback on its assessment using a thumbs up 👍 or thumbs down 👎.

{% image
   source="https://docs.dd-static.net/images/code_security/static_analysis/false_positive_filtering_sast_side_panel_higher_res_png.34cd8b7d9ddc445ffdd70c4dff065277.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/static_analysis/false_positive_filtering_sast_side_panel_higher_res_png.34cd8b7d9ddc445ffdd70c4dff065277.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Visual indicator of a false positive assessment in SAST side panel" /%}



### Bits AI Memories{% #bits-ai-memories %}

Bits AI Memories lets teams add rule-specific context that Bits AI uses when assessing SAST findings. Use memories to describe organization-specific frameworks, sanitizers, validation patterns, or codebase details that help Bits AI interpret findings for that rule.

In the SAST rule side panel, expand the false positive reports accordion to review reports shared by your organization for the selected rule. Use the custom context tab in the same section to add guidance for future Bits AI assessments. Memories apply at the organization and rule level for SAST. They apply only to security category SAST rules in Datadog's default rulesets and do not apply to custom rules.

## Remediation{% #remediation %}

Datadog SAST uses [Bits Code](https://docs.datadoghq.com/bits_ai/bits_code.md) to generate code fixes for vulnerabilities. You can also create an [automation](https://docs.datadoghq.com/bits_ai/bits_code/automations.md) to automatically generate fixes for vulnerabilities as they are found or on a schedule.

To view and remediate vulnerabilities:

1. In Datadog, navigate to [**Security** > **Code Security** > **Vulnerabilities**](https://app.datadoghq.com/security/code-security/sast), and select **Static Code (SAST)**.
1. Select a vulnerability to open a side panel with details about the finding and the affected code.
1. In the **Next Steps** > **Remediation** section, click **Fix with Bits**, then one of the following options:
   - **Single fix**: Generates a code fix for this vulnerability
     - If a fix has already been generated, select **View fix and create PR** to view the existing remediation session.
   - **Create automation**: Opens a pop-up modal where you can create a [Bits Code automation](https://docs.datadoghq.com/bits_ai/bits_code/automations.md)

### Single fix{% #single-fix %}

Use **Single fix** to open a Bits Code session to fix this single vulnerability. You can review the proposed diff, ask follow-up questions, edit the patch, and create a pull request to apply the remediation to your source code repository.

View all Bits Code sessions on **Bits AI** > **Bits Code** > [**Sessions**](https://app.datadoghq.com/code).

### Create automation{% #create-automation %}

Use **Create automation** to create a [Bits Code automation](https://docs.datadoghq.com/bits_ai/bits_code/automations.md) to generate fixes for SAST vulnerabilities automatically, either as they are found or on a schedule.

Selecting this option opens an **Automate with Bits** modal with the **Remediate SAST vulnerabilities** action pre-filled. Complete the form, including specifying a trigger and output, then click **Create Automation**. See [Automations](https://docs.datadoghq.com/bits_ai/bits_code/automations.md) to learn more about actions, triggers, and outputs.

View all Bits Code automations on **Bits AI** > **Bits Code** > [**Automations**](https://app.datadoghq.com/code/automations).

### Remediation session details{% #remediation-session-details %}

Each Bits Code session shows the life cycle of an AI-generated fix so you can review and validate changes before merging. It includes:

- The original security finding and proposed code change
- An explanation of how and why Bits Code generated the fix
- CI results (if enabled) to validate the patch is safe to deploy
- Options to refine the fix or **Create PR** to apply the changes to your source code repository

To open the remediation session, select the vulnerability from the [**Vulnerabilities**](https://app.datadoghq.com/security/code-security/sast) page to open the side panel, scroll to the **Remediation** section, and select **Expand & Chat**.

You can also view all remediation sessions on [**Sessions**](https://app.datadoghq.com/code).

{% image
   source="https://docs.dd-static.net/images/code_security/static_analysis/single-session-sql-injection-fix-light-png.f475a05b24289a8722d0eb0578d183a3.png?auto=format&fit=max&w=850 1x, https://docs.dd-static.net/images/code_security/static_analysis/single-session-sql-injection-fix-light-png.f475a05b24289a8722d0eb0578d183a3.png?auto=format&fit=max&w=850&dpr=2 2x"
   alt="Concluded remediation session in Bits Code showing generated fixes and pull request options" /%}

## Further reading{% #further-reading %}

- [Log processing pipelines](https://docs.datadoghq.com/logs/processing/pipelines.md)
- [Using LLMs to filter out false positives from static code analysis](https://www.datadoghq.com/blog/using-llms-to-filter-out-false-positives)
- [Introducing Bits Code for Code Security](https://www.datadoghq.com/blog/bitsai-dev-agent-code-security)