--- title: Static Code Analysis and GitHub Actions description: Use Datadog and GitHub to run Static Code Analysis jobs in a CI pipeline. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > Set up Static Code Analysis (SAST) > Static Code Analysis and GitHub Actions --- # Static Code Analysis and GitHub Actions {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). (). {% /alert %} {% /callout %} ## Overview{% #overview %} Run a [Datadog Static Code Analysis](https://docs.datadoghq.com/security/code_security/) job as an action in your GitHub Action workflows. This action wraps the [Datadog Static Analyzer](https://github.com/DataDog/datadog-static-analyzer), invokes it against your codebase, and uploads the results to Datadog. ## Workflow{% #workflow %} Create a file in `.github/workflows` to run a Datadog Static Code Analysis job. The following is a sample workflow file. ```yaml on: [push] jobs: check-quality: runs-on: ubuntu-latest name: Datadog Static Analyzer steps: - name: Checkout uses: actions/checkout@v6 - name: Check code meets quality standards id: datadog-static-analysis uses: DataDog/datadog-static-analyzer-github-action@v3 with: dd_app_key: ${{ secrets.DD_APP_KEY }} dd_api_key: ${{ secrets.DD_API_KEY }} dd_site: "datadoghq.com" cpu_count: 2 enable_performance_statistics: false ``` You **must** set your Datadog API and application keys as [secrets in your GitHub repository](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository) whether at the organization or repository level. Ensure that you add the `code_analysis_read` scope to your Datadog application key. For more information, see [API and Application Keys](https://docs.datadoghq.com/account_management/api-app-keys/). Make sure to replace `dd_site` with the [Datadog site you are using](https://docs.datadoghq.com/getting_started/site/). {% alert level="danger" %} Running a Datadog Static Code Analysis job as an action only supports the `push` event trigger. Other event triggers (`pull_request`, etc.) are not supported. {% /alert %} ## Inputs{% #inputs %} You can set the following parameters for Static Code Analysis. | Name | Description | Required | Default | | ------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | --------------- | | `dd_api_key` | Your Datadog API key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/) and should be stored as a [secret](https://docs.datadoghq.com/account_management/api-app-keys/). | Yes | | `dd_app_key` | Your Datadog application key. This key is created by your [Datadog organization](https://docs.datadoghq.com/account_management/api-app-keys/) and should be stored as a [secret](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository). | Yes | | `dd_site` | The [Datadog site](https://docs.datadoghq.com/getting_started/site/) to send information to. | No | `datadoghq.com` | | `cpu_count` | Set the number of CPUs used to by the analyzer. | No | `2` | | `enable_performance_statistics` | Get the execution time statistics for analyzed files. | No | `false` | | `debug` | Lets the analyzer print additional logs useful for debugging. To enable, set to `yes`. | No | `no` | | `subdirectory` | A subdirectory pattern or glob (or space-delimited subdirectory patterns) that the analysis should be limited to. For example: "src" or "src packages". | `false` | | `diff_aware` | Enable [diff-aware scanning mode](https://github.com/DataDog/datadog-static-analyzer/blob/main/README.md#diff-aware-scanning). | No | `true` | ### Notes{% #notes %} 1. Diff-aware scanning only scans the files modified by a commit when analyzing feature branches. Diff-aware is enabled by default. To disable diff-aware scanning, set the GitHub action `diff_aware` parameter to `false`. ## Customizing rules{% #customizing-rules %} By default, [Datadog Static Analyzer](https://github.com/DataDog/datadog-static-analyzer) detects the languages of your codebase and uses the default rulesets to analyze your codebase. Add a `code-security.datadog.yaml` file to your repository's root directory to define which rulesets to use. For example: ```yaml schema-version: v1.0 sast: use-default-rulesets: false use-rulesets: - - ``` Refer to the [Datadog documentation](https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/) for a complete list of rulesets. ### Example for Python{% #example-for-python %} Here is an example for Python-based repositories: ```yaml schema-version: v1.0 sast: use-default-rulesets: false use-rulesets: - python-code-style - python-best-practices - python-inclusive ``` ## Other useful GitHub Actions{% #other-useful-github-actions %} Datadog Software Composition Analysis (SCA) also offers the ability to scan your dependencies and detect vulnerabilities and licenses. You can use this product with the [`datadog-sca-github-action`](https://github.com/DataDog/datadog-sca-github-action).