datadog-static-analyzer is the static analyzer engine for Datadog static analysis.

First, make sure you follow the documentation and create a static-analysis.datadog.yml file at the root of your project with the rulesets you want to use.

Example of YAML file

rulesets:
  - python-code-style
  - python-best-practices
  - python-inclusive
ignore-paths:
  - tests

You can use it in your CI/CD pipeline using our integration:

• GitHub Action
• CircleCI ORB

If you use it in your own CI/CD pipeline, you can integrate the tool directly: see the Datadog documentation for more information.

The Datadog IntelliJ extension allows you to use the static analyzer directly from all JetBrains products. Create a static-analysis.datadog.yml file, download the extension and you can start using it. You can see below an example of a suggestion to add a timeout when fetching data with Python with the requests module.

The Datadog VS Code extension allows you to use the static analyzer directly from VS Code. Create a static-analysis.datadog.yml file, download the extension and you can start using it.

When you onboard on the Datadog product, you can select the ruleset you want/need. If you are not using Datadog directly, there is the list of common used rulesets available in the Datadog static analysis product per language.

The complete list is available in our documentation.

The list of rulesets is available in RULESETS.md.

Download the latest release for your system and architecture from the release page.

To get the static analyzer via shell:

curl -L -O http://www.github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-<target>.zip

Example to get the x86_64 binary for Linux:

curl -L -O http://www.github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip

datadog-static-analyzer -i <directory> -o <output-file>

For the tool to work, you must have a <directory>/static-analysis.datadog.yml file that defines the configuration of the analyzer. This file will indicate the rules you will use for your project.

You can get more information about the configuration on Datadog documentation.

The binary cannot be executed as is. You need to flag the binary as safe to execute using the following command.

xattr -dr com.apple.quarantine datadog-static-analyzer

• -f or --format: format of the output file. -f sarif produces a SARIF-compliant file
• -r or --rules: provides a file that contains all rules (rules can be put in a file using datadog-export-rulesets)
• -c or --cpus: number of cores used to analyze (count about 1GB of RAM usage per core)
• -o or --output: output file
• -p or --ignore-path: path (pattern/glob) to ignore; accepts multiple
• -x or --performance-statistics: show performance statistics for the analyzer
• -g or --add-git-info: add Git-related information (sha, etc) into the SARIF report when using -f sarif

Set the following variables to configure an analysis:

• DD_SITE: the Datadog site parameter used to fetch rules (view list) (default: datadoghq.com)

The static analyzer can be configured using a static-analysis.datadog.yml file at the root directory of the repository. This is a YAML file with the following entries:

• rulesets: the rulesets to use (see Datadog Documentation for a full list)
• ignore-paths: list of paths (glob) to ignore
• ignore-gitignore: a boolean to indicate if files in .gitignore should be ignored (default: false)
• max-file-size-kb: all files above this size are ignored (default: 200KB)

Example of configuration:

rulesets:
  - python-code-style
  - python-best-practices
  - python-inclusive
ignore-paths:
  - tests
ignore-gitignore: false
max-file-size-kb: 100

Export rulesets from the API into a file

cargo run --bin datadog-export-rulesets -- -r <ruleset> -o <file-to-export>

See file CONTRIBUTING.md for more information as well as DEVELOPMENT.md for all details about testing and coding guidelines.

• Datadog Static Analysis