Static Analysis and GitHub Actions

문서 > 코드 분석 > 정적 분석 > Static Analysis and GitHub Actions

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Overview

Run a Datadog Static Analysis job in your GitHub Action workflows. This action wraps the Datadog Static Analyzer, invokes it against your codebase, and uploads the results to Datadog.

Workflow

Create a file in .github/workflows to run a Datadog Static Analysis job.

The following is a sample workflow file.

on: [push]

jobs:
  check-quality:
    runs-on: ubuntu-latest
    name: Datadog Static Analyzer
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check code meets quality standards
        id: datadog-static-analysis
        uses: DataDog/datadog-static-analyzer-github-action@v1
        with:
          dd_app_key: ${{ secrets.DD_APP_KEY }}
          dd_api_key: ${{ secrets.DD_API_KEY }}
          dd_site: "datadoghq.com"
          cpu_count: 2
          enable_performance_statistics: false

You must set your Datadog API and application keys as secrets in your GitHub repository whether at the organization or repository level. Ensure that you add the code_analysis_read scope to your Datadog application key. For more information, see API and Application Keys.

Make sure to replace dd_site with the Datadog site you are using3.

Inputs

You can set the following parameters for Static Analysis.

Name	Description	Required	Default
`dd_api_key`	Your Datadog API key. This key is created by your Datadog organization and should be stored as a secret.	Yes
`dd_app_key`	Your Datadog application key. This key is created by your Datadog organization and should be stored as a secret.	Yes
`dd_site`	The Datadog site to send information to.	No	`datadoghq.com`
`cpu_count`	Set the number of CPUs used to by the analyzer.	No	`2`
`enable_performance_statistics`	Get the execution time statistics for analyzed files.	No	`false`
`debug`	Lets the analyzer print additional logs useful for debugging. To enable, set to `yes`.	No	`no`
`subdirectory`	A subdirectory pattern or glob (or space-delimited subdirectory patterns) that the analysis should be limited to. For example: “src” or “src packages”.	`false`
`architecture`	The CPU architecture to use for the analyzer. Supported values are `x86_64` and `aarch64`.	No	`x86_64`
`diff_aware`	Enable diff-aware scanning mode.	No	`true`
`secrets_enabled`	Enable secrets detection (in private beta)	No	`false`

Notes

Diff-aware scanning only scans the files modified by a commit when analyzing feature branches. Diff-aware is enabled by default. To disable diff-aware scanning, set the GitHub action diff_aware parameter to false.
Secrets scanning is in private beta. To enable secrets scanning, please contact your Datadog customer success manager.

Customizing rules

By default, Datadog Static Analyzer detects the languages of your codebase and uses the default rulesets to analyze your codebase.

To specify and customize the rulesets, add a static-analysis.datadog.yml file to your repository’s root directory to define which rulesets to use.

rulesets:
  - <ruleset-name>
  - <ruleset-name>

Refer to the Datadog documentation for a complete list of rulesets.

Example for Python

Here is an example for Python-based repositories:

rulesets:
  - python-code-style
  - python-best-practices
  - python-inclusive

Other useful GitHub Actions

Datadog Software Composition Analysis (SCA) also offers the ability to scan your dependencies and detect vulnerabilities and licenses. You can use this product with the datadog-sca-github-action.