Tip
Datadog supports open source projects. Learn more on Datadog for Open Source Projects.
datadog-static-analyzer is the static analyzer engine for Datadog static analysis.
First, make sure you follow the documentation
and create a static-analysis.datadog.yml
file at the root of your project with the rulesets you want to use.
Example of YAML file
rulesets:
- python-code-style
- python-best-practices
- python-inclusive
ignore-paths:
- tests
You can use it in your CI/CD pipeline using our integration:
If you use it in your own CI/CD pipeline, you can integrate the tool directly: see the Datadog documentation for more information.
The Datadog IntelliJ extension allows you to use the static analyzer directly from all JetBrains products.
Create a static-analysis.datadog.yml
file, download the extension and you can start using it. You can see below an example of a suggestion to add a timeout
when fetching data with Python with the requests module.
The Datadog VS Code extension allows you to use the static analyzer directly from VS Code.
Create a static-analysis.datadog.yml
file, download the extension and you can start using it.
When you onboard on the Datadog product, you can select the ruleset you want/need. If you are not using Datadog directly, there is the list of common used rulesets available in the Datadog static analysis product per language.
The complete list is available in our documentation.
The list of rulesets is available in RULESETS.md.
Download the latest release for your system and architecture from the release page.
To get the static analyzer via shell:
curl -L -O http://www.github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-<target>.zip
Example to get the x86_64 binary for Linux:
curl -L -O http://www.github.com/DataDog/datadog-static-analyzer/releases/latest/download/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip
datadog-static-analyzer -i <directory> -o <output-file>
For the tool to work, you must have a <directory>/static-analysis.datadog.yml
file that defines the configuration of the analyzer. This file will indicate the rules you will use for your project.
You can get more information about the configuration on Datadog documentation.
The binary cannot be executed as is. You need to flag the binary as safe to execute using the following command.
xattr -dr com.apple.quarantine datadog-static-analyzer
-f
or--format
: format of the output file.-f sarif
produces a SARIF-compliant file-r
or--rules
: provides a file that contains all rules (rules can be put in a file usingdatadog-export-rulesets
)-c
or--cpus
: number of cores used to analyze (count about 1GB of RAM usage per core)-o
or--output
: output file-p
or--ignore-path
: path (pattern/glob) to ignore; accepts multiple-x
or--performance-statistics
: show performance statistics for the analyzer-g
or--add-git-info
: add Git-related information (sha, etc) into the SARIF report when using -f sarif
Set the following variables to configure an analysis:
DD_SITE
: the Datadog site parameter used to fetch rules (view list) (default:datadoghq.com
)
The static analyzer can be configured using a static-analysis.datadog.yml
file
at the root directory of the repository. This is a YAML file with the following entries:
rulesets
: the rulesets to use (see Datadog Documentation for a full list)ignore-paths
: list of paths (glob) to ignoreignore-gitignore
: a boolean to indicate if files in.gitignore
should be ignored (default:false
)max-file-size-kb
: all files above this size are ignored (default: 200KB)
Example of configuration:
rulesets:
- python-code-style
- python-best-practices
- python-inclusive
ignore-paths:
- tests
ignore-gitignore: false
max-file-size-kb: 100
Export rulesets from the API into a file
cargo run --bin datadog-export-rulesets -- -r <ruleset> -o <file-to-export>
See file CONTRIBUTING.md for more information as well as DEVELOPMENT.md for all details about testing and coding guidelines.