Static Analysis Setup

Docs > Code Analysis > Static Analysis > Static Analysis Setup

Try the Beta!

Code Analysis is in public beta.

Overview

To use Datadog Static Analysis, add a static-analysis.datadog.yml file to your repository’s root directory and specify which rulesets you want to include for your programming language(s).

Copy and paste the Code Quality and Security rulesets from the available options for Python on the Code Analysis Setup page

Select one or multiple programming languages and choose which rulesets you want to copy and use on the Code Analysis Setup page.

Add a Static Analysis YAML file to your project

You can include the following global options in the static-analysis.datadog.yml file:

Name	Description	Required	Default
`rulesets`	A list of ruleset names and configurations. View all available rulesets.	`true`
`ignore`	A list of path prefixes and glob patterns to ignore. Matching files will not be analyzed.	`false`
`only`	A list of path prefixes and glob patterns to analyze. Only matching files will be analyzed.	`false`
`ignore-gitignore`	Do not use paths listed in the `.gitignore` file to skip analysis on certain files.	`false`	`false`
`max-file-size-kb`	Ignore files larger than the specified size (in kB units).	`false`	`200`

You can include the following ruleset options in the static-analysis.datadog.yml file:

Name	Description	Required
`rules`	A list of rule configurations for rules belonging to ruleset.	`false`
`ignore`	A list of path prefixes and glob patterns to ignore for this specific ruleset. Matching files will not be analyzed.	`false`
`only`	A list of path prefixes and glob patterns to analyze for this specific ruleset. Only matching files will be analyzed.	`false`

You can include the following rule options in the static-analysis.datadog.yml file:

Name	Description	Required
`ignore`	A list of path prefixes and glob patterns to ignore for this specific rule. Matching files will not be analyzed.	`false`
`only`	A list of path prefixes and glob patterns to analyze for this specific rule. Only matching files will be analyzed.	`false`
`arguments`	A map of values for rules that support customizable arguments.	`false`

The map in the arguments field uses an argument’s name as its key, and the values are either strings or maps:

To set a value for the whole repository, you can specify it as a string.
To set different values for different subtrees in the repository, you can specify them as a map from a subtree prefix to the value that the argument will have within that subtree.

The full structure of the static-analysis.datadog.yml file is as follows:

rulesets:
  - ruleset-name
  - ruleset-name:
    # Only apply this ruleset to the following paths/files
    only:
      - "path/example"
      - "**/*.file"
    # Do not apply this ruleset in the following paths/files
    ignore:
      - "path/example"
      - "**/*.file"
  - ruleset-name:
    rules:
      rule-name:
        # Only apply this rule to the following paths/files
        only:
          - "path/example"
          - "**/*.file"
        # Do not apply this rule to the following paths/files
        ignore:
          - "path/example"
          - "**/*.file"
        arguments:
          # Set the rule's argument to value.
          argument-name: value
      rule-name:
        arguments:
          # Set different argument values in different subtrees
          argument-name:
            # Set the rule's argument to value_1 by default (root path of the repo)
            /: value_1
            # Set the rule's argument to value_2 for specific paths
            path/example: value_2
# Only analyze any ruleset in the following paths/files
only:
  - "path/example"
  - "**/*.file"
# Do not analyze any ruleset in the following paths/files
ignore:
  - "path/example"
  - "**/*.file"

For example, you can use the following:

rulesets:
  - python-best-practices
  - python-security
  - python-code-style
    rules:
      max-function-lines:
        # Do not apply the rule max-function-lines to the following files
        ignore:
          - "src/main/util/process.py"
          - "src/main/util/datetime.py"
        arguments:
          # Set the max-function-lines rule's threshold to 150 lines
          max-lines: 150
      max-class-lines:
        arguments:
          # Set different thresholds for the max-class-lines rule in different subtrees
          max-lines:
            # Set the rule's threshold to 200 lines by default (root path of the repo)
            /: 200
            # Set the rule's threshold to 100 lines in src/main/backend
            src/main/backend: 100
  - python-inclusive
  - python-django:
    # Only apply the python-django ruleset to the following paths
    only:
      - "src/main/backend"
      - "src/main/django"
    # Do not apply the python-django ruleset in files matching the following pattern
    ignore:
      - "src/main/backend/util/*.py"
# Only analyze source files
only:
  - "src/main"
  - "src/tests"
  - "**/*.py"
# Do not analyze third-party or generated files 
ignore:
  - "lib/third_party"
  - "**/*.generated.py"
  - "**/*.pb.py"

Set up the GitHub integration

You must configure a GitHub App using the GitHub integration tile and set up the source code integration to see the offending code snippets as part of the Static Analysis results in the Datadog UI.

When installing a GitHub App, the following permissions are required to enable certain features:

Content: Read, which allows you to see code snippets displayed in Datadog
Pull Request: Read & Write, which allows Datadog to add feedback for violations directly in your pull requests using pull request comments

Configure your CI/CD provider

Datadog Static Analysis runs in your CI pipelines using the datadog-ci CLI and checks your code against Datadog’s default rulesets. Configure your Datadog API and application keys and run Static Analysis in the respective CI provider.

See the documentation for information about the following integrations:

CircleCI Orbs

GitHub Actions

Generic CI Providers

Upload third-party static analysis results to Datadog

SARIF importing has been tested for Snyk, CodeQL, Semgrep, Checkov, Gitleaks, and Sysdig. Please reach out to Datadog Support if you experience any issues with other SARIF-compliant tools.

You can send results from third-party static analysis tools to Datadog, provided they are in the interoperable Static Analysis Results Interchange Format (SARIF) Format. Node.js version 14 or later is required.

To upload a SARIF report:

Ensure the DD_API_KEY and DD_APP_KEY variables are defined.
Optionally, set a DD_SITE variable (this default to datadoghq.com).
Install the datadog-ci utility:
```
npm install -g @datadog/datadog-ci
```
Run the third-party static analysis tool on your code and output the results in the SARIF format.

Upload the results to Datadog:

datadog-ci sarif upload $OUTPUT_LOCATION --service <datadog-service> --env <datadog-env>