GitHub Pull Requests

Overview

Code Security integrates with GitHub pull requests in two ways:

To enable these features, ensure you have the required GitHub permissions (Read & Write) for your repository.

Set up Code Security for GitHub pull requests

Enable Datadog Code Security

To enable Code Security in-app, navigate to the Code Security page.

Configure a GitHub App

To use Code Security on GitHub, you can do one of the following:

  • Create a GitHub App in Datadog.
  • Update an existing GitHub App, if you have already created one in Datadog.

The permissions you grant to the GitHub App determine which GitHub integration features are available for setup.

Create and install a GitHub App

  1. In Datadog, navigate to Integrations > GitHub Applications > Add New GitHub Application.
  2. Fill out any required details, such as the GitHub organization name.
  3. Under Select Features, check the Code Security: Pull Request Review Comments box.
  4. Under Edit Permissions, verify that the Pull Requests permission is set to Read & Write.
  5. Click Create App in GitHub.
  6. Enter a name for your app, and submit it.
  7. Click Install GitHub App.
  8. Choose which repositories the app should be installed into, then click Install & Authorize.
GitHub App installation screen

Update an existing GitHub App

  1. In Datadog, navigate to Integrations > GitHub Applications, and search for the GitHub App you want to use for Code Security.
    Example of a Static Code Analysis comment on a pull request
  2. On the Features tab, look at the Code Security: Pull Request Comments section to determine whether your GitHub App needs additional permissions. If so, click Update permissions in GitHub to edit the app settings.
  3. Under Repository permissions, set the Pull Requests access to Read and write.
    The dropdown for the pull request read and write permission
  4. Under the Subscribe to events heading, check the Pull request box.
    The checkbox for the pull request review comment permission

Enable Code Security PR comments for your repositories

  1. In Datadog, navigate to Security > Code Security > Setup.
  2. In Enable scanning for your repositories, select Edit next to a given repository.
  3. Toggle Enable Static Analyis to on.

Note: If you are using GitHub Actions to run your scans, trigger the action on push in order for comments to appear.

Configure PR comment settings for your repositories

Configure PR comment settings globally for all repositories or tailor them individually for a single repository. You can enable comments for different scan types and set minimum severity thresholds to control when PR comments appear, enabling you to exclude comments from appearing on lower-severity issues.

To configure PR comments for all repositories:

  1. In Datadog, navigate to Security > Code Security > Settings.
  2. In Repository Settings, click Global PR Comment Configuration.
  3. Configure the settings:
    • Enable PR comments for all scan types and severities: Enable this to apply PR comments across all types and severities.
    • Enable for Static Analysis (SAST): Toggle this option to enable PR comments for SAST. If enabled, specify a minimum severity threshold. Additionally, select Exclude PR comments if violations are detected in test files to prevent comments on issues found in test files.
    • Enable for Infrastructure-as-Code (IaC): Toggle this option to enable PR comments for IaC. If enabled, specify a minimum severity threshold.
  4. Click Save.

To configure PR comments for a single repository:

  1. In Datadog, navigate to Security > Code Security > Settings.
  2. In Repository Settings, select a repository from the list.
  3. Configure the settings:
    • Enable PR comments for all scan types and severities: Enable this to apply PR comments across all types and severities.
    • Enable for Static Analysis (SAST): Toggle this option to enable PR comments for SAST. If enabled, specify a minimum severity threshold. Additionally, select Exclude PR comments if violations are detected in test files to prevent comments on issues found in test files.
    • Enable for Infrastructure-as-Code (IaC): Toggle this option to enable PR comments for IaC. If enabled, specify a minimum severity threshold.
    • Block all comments in this repository: Enable this to disable all comments for this repository, overriding global settings.
  4. Click Save Configuration.

Fix a vulnerability directly from Datadog

If your GitHub app’s Pull Requests permission is set to Read & Write, one-click remediation is enabled for all Static Code Analysis findings with an available suggested fix.

Follow these steps to fix a vulnerability and open a pull request:

  1. Go to Code Security > Repositories.
  2. Click a repository.
  3. On the repository’s page, click the Code Vulnerabilities or Code Quality tabs.
  4. Click on a violation.
  5. If a suggested fix is available for that violation, one-click remediation is available in the side panel in the Remediation tab.
PREVIEWING: brett.blue/embedded-collector-release