--- title: Generic CI Providers description: >- Learn about Datadog Static Code Analysis to scan code for quality issues and security vulnerabilities before your code reaches production. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > Set up Static Code Analysis (SAST) > Generic CI Providers --- # Generic CI Providers {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="warning" %} Code Analysis is not available for the site. {% /alert %} {% /callout %} ## Overview{% #overview %} If you don't use GitHub Actions, you can run the [datadog-ci](https://github.com/DataDog/datadog-ci?tab=readme-ov-file#sarif) CLI directly in your CI pipeline platform and upload SARIF results to Datadog. **If you are running Code Security on a non-GitHub repository**, ensure that the first scan is ran on your default branch. If your default branch is not one of `master`, `main`, `default`, `stable`, `source`, `prod`, or `develop`, you must attempt a SARIF upload for your repository and then manually override the default branch in-app under [Repository Settings](https://app.datadoghq.com/source-code/repositories). Afterwards, uploads from your non-default branches will succeed. Prerequisites: - unzip - Node.js 14 or later Configure the following environment variables: | Name | Description | Required | Default | | ------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------- | | `DD_API_KEY` | Your Datadog API key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/#api-keys) and should be stored as a secret. | Yes | | `DD_APP_KEY` | Your Datadog application key. This key, created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/#application-keys), should include the `code_analysis_read` scope and be stored as a secret. | Yes | | `DD_SITE` | The [Datadog site](https://docs.datadoghq.com/getting_started/site/) to send information to. Your Datadog site is . | No | `datadoghq.com` | Provide the following inputs: | Name | Description | Required | Default | | -------------- | ---------------------------------------------------------------------------------------------------------------------- | -------- | ------- | | `cpu_count` | Set the number of CPUs used by the analyzer. Defaults to the number of CPUs available. | No | | `subdirectory` | The subdirectory path the analysis should be limited to. The path is relative to the root directory of the repository. | No | To obtain execution time statistics for analyzed files, add a `--performance-statistics` flag to your static analysis command. Select an analyzer for your architecture and OS from the following options: | Architecture | OS | Name | Link | | ------------ | --------- | ------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | `aarch64` | `Darwin` | `datadog-static-analyzer-aarch64-apple-darwin.zip` | [Download](https://github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-aarch64-apple-darwin.zip) | | `aarch64` | `Linux` | `datadog-static-analyzer-aarch64-unknown-linux-gnu.zip` | [Download](https://github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-aarch64-unknown-linux-gnu.zip) | | `x86_64` | `Darwin` | `datadog-static-analyzer-x86_64-apple-darwin.zip` | [Download](https://github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-apple-darwin.zip) | | `x86_64` | `Linux` | `datadog-static-analyzer-x86_64-unknown-linux-gnu.zip` | [Download](https://github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip) | | `x86_64` | `Windows` | `datadog-static-analyzer-x86_64-pc-windows-msvc.zip` | [Download](https://github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-pc-windows-msvc.zip) | Add the following to your CI pipeline: ```bash # Set the Datadog site to send information to export DD_SITE="datadoghq.com" # Install dependencies npm install -g @datadog/datadog-ci # Download the latest Datadog static analyzer: # https://github.com/DataDog/datadog-static-analyzer/releases DATADOG_STATIC_ANALYZER_URL=https://github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip curl -L $DATADOG_STATIC_ANALYZER_URL > /tmp/ddog-static-analyzer.zip unzip /tmp/ddog-static-analyzer.zip -d /tmp mv /tmp/datadog-static-analyzer /usr/local/datadog-static-analyzer # Run Static Code Analysis /usr/local/datadog-static-analyzer -i . -o /tmp/report.sarif -f sarif # Upload results datadog-ci sarif upload /tmp/report.sarif ``` {% alert level="info" %} This example uses the x86_64 Linux version of Datadog's static analyzer. If you're using a different OS or architecture, you should select it from the table above and update the `DATADOG_STATIC_ANALYZER_URL` value below. You can view all releases on the [GitHub Releases](https://github.com/DataDog/datadog-static-analyzer/releases) page. {% /alert %} {% alert level="danger" %} Running a Datadog Static Code Analysis job as part of your CI/CD pipeline only supports workflows triggered by direct code commits (for example, a `push` event). Other types of triggers, such as pull, merge, or review request events are not supported. {% /alert %} ## Diff-aware scanning{% #diff-aware-scanning %} Diff-aware scanning is a feature that enables Datadog Static Code Analysis to only scan the files modified by a commit in a feature branch. It accelerates scan time significantly by not having the analysis run on every file in the repository for every scan. The first scan performed, as well as default branch scans, always produce an analysis of the full repository (not diff-aware). If you are using GitHub Actions, diff-aware scanning is enabled by default. For other CI providers, follow these steps to enable diff-aware scanning: 1. Make sure your `DD_APP_KEY`, `DD_SITE` and `DD_API_KEY` variables are set in your CI pipeline. 1. Add a call to `datadog-ci git-metadata upload` before invoking the static analyzer. This command ensures that Git metadata is available to the Datadog backend. Git metadata is required to calculate the number of files to analyze. 1. Ensure that the datadog-static-analyzer is invoked with the flag `--diff-aware`. Example of commands sequence (these commands must be invoked in your Git repository): ```bash datadog-ci git-metadata upload datadog-static-analyzer -i /path/to/directory -g -o sarif.json -f sarif –-diff-aware <...other-options...> ``` **Note:** When a diff-aware scan cannot be completed, the entire directory is scanned.