Static Code Analysis and GitHub Actions

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > Static Code Analysis and GitHub Actions

Overview

Run a Datadog Static Code Analysis job in your GitHub Action workflows. This action wraps the Datadog Static Analyzer, invokes it against your codebase, and uploads the results to Datadog.

Workflow

Create a file in .github/workflows to run a Datadog Static Code Analysis job.

The following is a sample workflow file.

on: [push]

jobs:
  check-quality:
    runs-on: ubuntu-latest
    name: Datadog Static Analyzer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check code meets quality standards
        id: datadog-static-analysis
        uses: DataDog/datadog-static-analyzer-github-action@v1
        with:
          dd_app_key: ${{ secrets.DD_APP_KEY }}
          dd_api_key: ${{ secrets.DD_API_KEY }}
          dd_site: "datadoghq.com"
          cpu_count: 2
          enable_performance_statistics: false

You must set your Datadog API and application keys as secrets in your GitHub repository whether at the organization or repository level. Ensure that you add the code_analysis_read scope to your Datadog application key. For more information, see API and Application Keys.

Make sure to replace dd_site with the Datadog site you are using3.

Inputs

You can set the following parameters for Static Code Analysis.

Name	Description	Required	Default
`dd_api_key`	Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret.	Yes
`dd_app_key`	Your Datadog application key. This key is created by your Datadog organization and should be stored as a secret.	Yes
`dd_site`	The Datadog site to send information to.	No	`datadoghq.com`
`cpu_count`	Set the number of CPUs used to by the analyzer.	No	`2`
`enable_performance_statistics`	Get the execution time statistics for analyzed files.	No	`false`
`debug`	Lets the analyzer print additional logs useful for debugging. To enable, set to `yes`.	No	`no`
`subdirectory`	A subdirectory pattern or glob (or space-delimited subdirectory patterns) that the analysis should be limited to. For example: “src” or “src packages”.	`false`
`architecture`	The CPU architecture to use for the analyzer. Supported values are `x86_64` and `aarch64`.	No	`x86_64`
`diff_aware`	Enable diff-aware scanning mode.	No	`true`

Notes

Diff-aware scanning only scans the files modified by a commit when analyzing feature branches. Diff-aware is enabled by default. To disable diff-aware scanning, set the GitHub action diff_aware parameter to false.

Deprecated Inputs

The following action inputs have been deprecated and no longer have any effect. Passing these in will emit a warning.

dd_service
dd_env

Customizing rules

By default, Datadog Static Analyzer detects the languages of your codebase and uses the default rulesets to analyze your codebase.

To specify and customize the rulesets, add a static-analysis.datadog.yml file to your repository’s root directory to define which rulesets to use.

rulesets:
  - <ruleset-name>
  - <ruleset-name>

Refer to the Datadog documentation for a complete list of rulesets.

Example for Python

Here is an example for Python-based repositories:

rulesets:
  - python-code-style
  - python-best-practices
  - python-inclusive

Other useful GitHub Actions

Datadog Software Composition Analysis (SCA) also offers the ability to scan your dependencies and detect vulnerabilities and licenses. You can use this product with the datadog-sca-github-action.