Static Analysis and GitHub Actions

Overview

Run a Datadog Static Analysis job in your GitHub Action workflows. This action wraps the Datadog Static Analyzer, invokes it against your codebase, and uploads the results to Datadog.

Workflow

Create a file in .github/workflows to run a Datadog Static Analysis job.

The following is a sample workflow file.

on: [push]

jobs:
  check-quality:
    runs-on: ubuntu-latest
    name: Datadog Static Analyzer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check code meets quality standards
        id: datadog-static-analysis
        uses: DataDog/datadog-static-analyzer-github-action@v1
        with:
          dd_app_key: ${{ secrets.DD_APP_KEY }}
          dd_api_key: ${{ secrets.DD_API_KEY }}
          dd_site: "datadoghq.com"
          cpu_count: 2
          enable_performance_statistics: false

You must set your Datadog API and application keys as secrets in your GitHub repository whether at the organization or repository level. Ensure that you add the code_analysis_read scope to your Datadog application key. For more information, see API and Application Keys.

Make sure to replace dd_site with the Datadog site you are using3.

Inputs

You can set the following parameters for Static Analysis.

NameDescriptionRequiredDefault
dd_api_keyYour Datadog API key. This key is created by your Datadog organization and should be stored as a secret.Yes
dd_app_keyYour Datadog application key. This key is created by your Datadog organization and should be stored as a secret.Yes
dd_siteThe Datadog site to send information to.Nodatadoghq.com
cpu_countSet the number of CPUs used to by the analyzer.No2
enable_performance_statisticsGet the execution time statistics for analyzed files.Nofalse
debugLets the analyzer print additional logs useful for debugging. To enable, set to yes.Nono
subdirectoryA subdirectory pattern or glob (or space-delimited subdirectory patterns) that the analysis should be limited to. For example: “src” or “src packages”.false
architectureThe CPU architecture to use for the analyzer. Supported values are x86_64 and aarch64.Nox86_64
diff_awareEnable diff-aware scanning mode.Notrue
secrets_enabledEnable secrets detection (in private beta)Nofalse

Notes

  1. Diff-aware scanning only scans the files modified by a commit when analyzing feature branches. Diff-aware is enabled by default. To disable diff-aware scanning, set the GitHub action diff_aware parameter to false.
  2. Secrets scanning is in private beta. To enable secrets scanning, please contact your Datadog customer success manager.

Deprecated Inputs

The following action inputs have been deprecated and no longer have any effect. Passing these in will emit a warning.

  • dd_service
  • dd_env

Customizing rules

By default, Datadog Static Analyzer detects the languages of your codebase and uses the default rulesets to analyze your codebase.

To specify and customize the rulesets, add a static-analysis.datadog.yml file to your repository’s root directory to define which rulesets to use.

rulesets:
  - <ruleset-name>
  - <ruleset-name>

Refer to the Datadog documentation for a complete list of rulesets.

Example for Python

Here is an example for Python-based repositories:

rulesets:
  - python-code-style
  - python-best-practices
  - python-inclusive

Other useful GitHub Actions

Datadog Software Composition Analysis (SCA) also offers the ability to scan your dependencies and detect vulnerabilities and licenses. You can use this product with the datadog-sca-github-action.

Further Reading

Additional helpful documentation, links, and articles:

PREVIEWING: antoine.dussault/service-representation-ga-docs-us1