GitHub Pull Requests

Overview

Code Analysis integrates with GitHub pull requests in two ways:

  • Pull request comments to flag violations: During code reviews on GitHub, Datadog can automatically check for Static Analysis violations in pull requests for repositories that have at least one ruleset applied. Violations are flagged with an inline review comment on the relevant line(s) of code, along with suggested fixes (when applicable) that can be applied directly in the pull request. This is only available for Static Analysis (SAST).

    Example of a Code Analysis comment on a pull request

  • Open a pull request to fix an issue directly from Datadog: You can create a pull request from the UI to fix a security vulnerability or code quality issue based on Datadog’s suggested code fix. This is only available for Static Analysis (SAST).

    Example of one-click remediation for Code Analysis

To enable these features, ensure you have the required GitHub permissions (Read & Write) for your repository.

Set up Code Analysis for GitHub pull requests

Enable Datadog Code Analysis

To use Datadog Code Analysis, add the appropriate configuration files to your repository, as described in the setup instructions.

Configure a GitHub App

To use Code Analysis on GitHub, you can do one of the following:

  • Create a GitHub App in Datadog.
  • Update an existing GitHub App, if you have already created one in Datadog.

The permissions you grant to the GitHub App determine which GitHub integration features are available for setup.

Create and install a GitHub App

  1. In Datadog, navigate to Integrations > GitHub Applications > Add New GitHub Application.
  2. Fill out any required details, such as the GitHub organization name.
  3. Under Select Features, check the Code Analysis: Pull Request Review Comments box.
  4. Under Edit Permissions, verify that the Pull Requests permission is set to Read & Write.
  5. Click Create App in GitHub.
  6. Enter a name for your app, and submit it.
  7. Click Install GitHub App.
  8. Choose which repositories the app should be installed into, then click Install & Authorize.
GitHub App installation screen

Update an existing GitHub App

  1. In Datadog, navigate to Integrations > GitHub Applications, and search for the GitHub App you want to use for Code Analysis.
    Example of a Static Analysis comment on a pull request
  2. On the Features tab, look at the Code Analysis: Pull Request Comments section to determine whether your GitHub App needs additional permissions. If so, click Update permissions in GitHub to edit the app settings.
  3. Under Repository permissions, set the Pull Requests access to Read and write.
    The dropdown for the pull request read and write permission
  4. Under the Subscribe to events heading, check the Pull request box.
    The checkbox for the pull request review comment permission

Enable Code Analysis PR comments for your repositories

  1. In Datadog, navigate to CI Settings > Code Analysis Settings.
  2. Click the toggle switch next to a given repository to enable GitHub Comments. In the example below, comments are enabled for the demo-static-analysis-gates repository.
Example of a Code Analysis comment on a pull request

Note: If you are using GitHub Actions to run your scans, trigger the action on push in order for comments to appear.

Fixing a vulnerability directly from Datadog

If your GitHub app’s Pull Requests permission is set to Read & Write, one-click remediation is enabled for all Static Analysis findings with an available suggested fix.

Follow these steps to fix a vulnerability and open a pull request:

  1. View a specific result in Code Analysis.
  2. Click Fix Violation in the side panel of the result.
  3. Select Open a Pull Request.
  4. Enter a pull request title and commit message.
  5. Click Create PR.

You can also fix a vulnerability by committing directly to the branch the result was found on.

To commit a suggested fix:

  1. View a specific result in Code Analysis.
  2. Click Fix Violation in the side panel of the result.
  3. Click Commit to current branch.

Further Reading

PREVIEWING: brett0000FF/node-compatibility