Secret Scanning and GitHub Actions

Docs > Datadog Security > Code Security > Secret Scanning > Secret Scanning and GitHub Actions

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Run a Datadog Secret Scanning job in your GitHub Action workflows. This action wraps the Datadog Static Analyzer (that scans for secrets), invokes it against your codebase, and uploads the results to Datadog.

Workflow

Create a file in .github/workflows to run a Datadog Secret Scanning job.

The following is a sample workflow file.

on: [push]

jobs:
  check-quality:
    runs-on: ubuntu-latest
    name: Datadog Static Analyzer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check code meets quality standards
        id: datadog-static-analysis
        uses: DataDog/datadog-static-analyzer-github-action@v1
        with:
          dd_app_key: ${{ secrets.DD_APP_KEY }}
          dd_api_key: ${{ secrets.DD_API_KEY }}
          dd_site: "datadoghq.com"
          cpu_count: 2
          enable_performance_statistics: false
          static_analysis_enabled: false
          secrets_enabled: true

You must set your Datadog API and application keys as secrets in your GitHub repository, at either the organization or repository level. Ensure that you add the code_analysis_read scope to your Datadog application key. For more information, see API and Application Keys.

Make sure to replace dd_site with the Datadog site you are using.

Inputs

You can set the following parameters.

Name	Description	Required	Default
`dd_api_key`	Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret.	Yes
`dd_app_key`	Your Datadog application key. This key is created by your Datadog organization and should be stored as a secret.	Yes
`dd_site`	The Datadog site to send information to.	No	`datadoghq.com`
`cpu_count`	Set the number of CPUs used to by the analyzer.	No	`2`
`enable_performance_statistics`	Get the execution time statistics for analyzed files.	No	`false`
`debug`	Lets the analyzer print additional logs useful for debugging. To enable, set to `yes`.	No	`no`
`architecture`	The CPU architecture to use for the analyzer. Supported values are `x86_64` and `aarch64`.	No	`x86_64`